MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1204.001 Malicious Link: Malicious Link
T1059 Command and Scripting Interpreter
T1059.001 Command and Scripting Interpreter: PowerShell
The sample is an encrypted OOXML document that exploits CVE-2017-0199 via an OLE2Link object. This vulnerability allows it to download and execute a remote document from the URL http://107.173.192.152/receipt/receipt.doc. The document body was not extractable due to encryption, but the exploit carrier and embedded URL strongly indicate a malicious downloader.
Heuristics 6
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMEDEncrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
-
Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPEDefault-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
-
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGEOLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
-
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXMLOLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://107.173.192.152/receipt/receipt.doc?&wad=cooing&dead=permissible&analgesia=cowardly&quiver=worthless&theism=teeny-tiny&midi=classy&birch=splendid&drain=gifted&bronco=quickest&project=flat&line=obsequious&cod=late&briefs=divergent&mile=furtive&innervation=cagey&flytrap=wry÷=robust&crinoline=dramatic&peach=perfect&instrumentalist=rampant&mug=perfect&beggar=soft&interest=arrogant&ball=craven&automaton=massive&margaret=flowery&tie=tasteless&blade=annoying&campanile=tender&sidewalk=quixotic&coffin=rainy&disease=imported&ingrate=onerous&mover=harmonious&standoff=bumpy&mantel=courageous&chalk=wrong&purple=womanly&shanty=zonked&surgeon=steady&caftan=hollow&iraq=maddening&ephemera=overconfident&concrete=old&curve=earthy&potato=muddy&establishment=lopsided&trolley=ragged&salad=internal&twist=unsuitable&beyond=energetic&seat=wonderful&keyboarding=woozy&support=accidental&figurine=lovely&manicure=pretty&manservant=anxious&odometer=juicy&champion=permissible&marimba=stimulating&moth=successful&jailhouse=nervous&initiative=waggish&repeat=voiceless&armoire=tense&nondisclosure=scientific&tow-truck=bright&octavo=depressed&shore=frightened&pony=bad&importance=average&laptop=numerous&family=absurd&niece=adhesive&acknowledgment=lush&celeriac=shiny&eyebrows=obnoxious&heart-throb=plain&aluminium=frantic&piece=tiny&temporariness=marked&dipstick=agonizing&target=defective&shallot=changeable&chromolithograph=undesirable&stocking=fuzzy&intervenor=macho&sled=ad
Open this report in the interactive analyzer, or submit your own file for analysis.