MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File Execution: User Execution
T1059.001 Command and Scripting Interpreter: PowerShell
The sample leverages the Follina vulnerability (CVE-2022-30190) through an embedded OLE object pointing to an external URL. This technique is commonly used to download and execute further malicious stages. The ClamAV detection also confirms the presence of exploit code targeting this vulnerability.
Heuristics 5
-
CVE-2022-30190 — Follina stage-1 external HTML oleObject critical CVE likely CVE_2022_30190External OLEObject relationship targets a remote .html with the Follina delivery shape (oleObject -> HTTP(S) HTML with trailing Moniker '!'). In live Follina samples the ms-msdt: trigger is served by the remote HTML, not the document itself.
-
OOXML OLE2Link remote loader — CVE-2017-0199 related high CVE_2017_0199_RELATEDDocument contains an o:OLEObject Type=Link whose external oleObject relationship points to a remote URL. This is the OOXML OLE2Link activation shape associated with CVE-2017-0199 delivery, but the local file does not expose URL Moniker bytes or a weaponized extension/content type, so the exact CVE cannot be proven statically.
-
ClamAV: Win.Exploit.CVE_2022_30190-9951234-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2022_30190-9951234-1
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://akmalreload.com/struk/wellcome.html
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Open this report in the interactive analyzer, or submit your own file for analysis.