MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1071.001 Web Protocols
The critical heuristic firing for CVE-2017-0199 indicates that this OOXML document is designed to exploit a vulnerability in OLE linking to download and execute a remote payload from a provided URL. The document is encrypted with a default password, and contains embedded objects, further suggesting it's an exploit carrier. The primary attack vector is the exploitation of CVE-2017-0199 via a URL moniker.
Heuristics 3
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.URL https://cutt.ly/KkGBjal
-
Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPEDefault-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
-
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXMLOLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
Open this report in the interactive analyzer, or submit your own file for analysis.