MALICIOUS
124
Risk Score
Heuristics 4
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://014013117744/wowoowowowo.php?&ɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢ In document text (OLE body)
- http://96.44.159.228/wowoowowowo.php?&ɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢɢDecoded from obfuscated IP host (014013117744)
- https://wwww.microsoft.com0In document text (OLE body)
- http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/Docs/Repository.htm0In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In document text (OLE body)
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off00016841.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16841 | 400552 bytes |
SHA-256: f48ea04ac88d94e996724b0312c89f652abb5998d218f16ccdd544cbb7a84532 |
|||
icc_00_off0002814f.icc |
pdf-icc-profile | PDF ICC profile at offset 0x2814F | 536 bytes |
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d |
|||
font_00_sfnt_off0002f9a5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2F9A5 | 35836 bytes |
SHA-256: 72d364d80d92a25f33929cd2035bec8826666c5562209ec6d92ccfa47393e8f0 |
|||
polyglot_child_pdf_off00001000.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x1000 | 953856 bytes |
SHA-256: ceba79d0daf1f48e9d59c9e451753fb413229fa0c5ee7fda9ffac3a3d4bb943d |
|||
polyglot_child_pdf_off00018400.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x18400 | 858624 bytes |
SHA-256: 524cb7592f1f80eb34423c9bb4751e2a26299c7d78a39468f021e4c98646b32a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.