MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The OOXML document contains external OLE object relationships and OLE2Link objects that point to an external RTF file. These relationships are associated with known vulnerabilities CVE-2017-8759 and CVE-2023-36884, indicating the document is designed to exploit these flaws. The external RTF file is likely a secondary stage for delivering a malicious payload.
Heuristics 3
-
CVE-2023-36884 — external RTF auto-load relationship critical CVE likely CVE_2023_36884Document auto-load relationship references a remote RTF file (https://reports.dgps-govtpk.com/63645534-case/doc.rtf), matching the stronger Storm-0978/RomCom external-RTF delivery shape. Plain clickable hyperlinks are not enough for this CVE rule.URL https://reports.dgps-govtpk.com/63645534-case/doc.rtf
- http://schemas.openxmlformats.org/officedocument/2006/relationships/oleobject
-
OOXML OLE2Link remote document — CVE-2017-8759 related high CVE_2017_8759_RELATEDDocument contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.URL https://reports.dgps-govtpk.com/63645534-case/doc.rtf
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.URL https://reports.dgps-govtpk.com/63645534-case/doc.rtf
Open this report in the interactive analyzer, or submit your own file for analysis.