Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 2

• OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
  Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://192.227.168.194/500/invc_06.doc?&otter=shaky&okra=wise&eyeball=spooky&sunshine=adorable&burn-out=willing&mixture=ludicrous&spy=gruesome&offer=damaged&sweatsuit=ashamed&sari=cowardly&motorboat=naive&maraca=chubby&musculature=dark&chair=huge&blazer=testy&pantyhose=utter&engineer=sulky&workbench=dynamic&paramedic=nosy&analyst=shaggy&distance=reminiscent&repair=burly&spleen=phobic&astrology=elated&existence=anxious&game=adaptable&clipper=swift&change=abashed&attraction=penitent&eye=gifted&step-father=abaft&hip=sable&prizefight=apathetic&litigation=damaging&pelican=enthusiastic&futon=straight&mocha=easy&sword=condemned&chart=gamy&game=moldy&desk=big&lyric=helpless&pencil=better&quarter=painstaking&galleon=gifted&diction=nauseating&asparagus=vacuous&train=combative&fortress=rebellious&shell=overjoyed&stock-in-trade=incompetent&reminder=subsequent&geometry=abrasive&average=reminiscent&finance=subdued&appendix=abounding&numeracy=nasty

Open this report in the interactive analyzer, or submit your own file for analysis.