MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File: User Execution
The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE object, which is designed to act as a remote loader. The embedded object at 'xl/embeddings/oleObject1.bin' contains a URL pointing to a remote resource, strongly suggesting the document's purpose is to download and execute a second-stage payload. The OOXML is encrypted with a default password, a common technique to obscure malicious content.
Heuristics 3
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.URL https://n9.cl/25qf
-
Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPEDefault-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
-
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXMLOLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
Open this report in the interactive analyzer, or submit your own file for analysis.