Malicious Office (OLE) / .XLS — malware analysis report

Heuristics 3

• OLE2Link / URL Moniker weaponized URL — CVE-2017-0199 critical CVE exact CVE_2017_0199_WEAPONIZED_URL
  Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
• VBA project contains no executable statements low OLE_VBA_MACROS
  Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://______-----------------------@3324947722/166/Pic____IMG00900600707070550060606070704405045405040.hta�aܨ�9��M������Br#كE����k�[D��t�?ɭ�p�3��g��y-�zQ]E-UԈu�I���XE�E_E2���f�b�����m�����$TtN4uw2BakVcgJsAdJA8r1Ooqf7U2ZYNnm8Q02zci5QREUyfLy0FWPKLRNGCftg5ZSiaWGhSBZwdhsQYU5bp7X8cvj6JoAYg2bNNiwrTTl45m7l8COd7y6Ep5qWXjvnQ3yS76ls5vFV1Qb2ZDyU�RȐ^�u���

Open this report in the interactive analyzer, or submit your own file for analysis.