MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The critical heuristic firing indicates exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote code. The embedded URL 'http://392128471' is highly suspicious and likely serves as the initial download source for a second-stage payload. Although VBA macros were present, they contained no executable statements, suggesting the exploit relies on the OLE vulnerability rather than macro execution.
Heuristics 3
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://392128471 In document text (OLE body)
- https://wwww.microsoft.com0In document text (OLE body)
- https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn document text (OLE body)
- http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
- http://www.microsoft.com/typographyIn document text (OLE body)
- http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn document text (OLE body)
- http://www.monotype.com/html/type/license.htmlIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
- http://www.microsoft.com/Typography/0In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/Docs/Repository.htm0In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In document text (OLE body)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1206 bytes |
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
stream_004_off00011a40.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x11A40 | 302130 bytes |
SHA-256: cb4c471795f1104463ab9ac1b233ec71acdbbc1592855189941bd63a4086348e |
|||
stream_005_off000279a2.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x279A2 | 546556 bytes |
SHA-256: 3e10b51a9c36c4f22a3be0890059f975373155d913cbcc6bffdc9310ebf72990 |
|||
font_00_sfnt_off00007b11.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7B11 | 100712 bytes |
SHA-256: ced1bb1c102daa3031e6106f2d6d7325bf5f903a49cc36cad47599b0b9573d9c |
|||
font_01_sfnt_off0005472c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5472C | 23664 bytes |
SHA-256: 629bb3ae58b48aa102bf50683221ccbb5b5da062adebb204d455eb5948abeb89 |
|||
font_02_sfnt_off0005773c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5773C | 350964 bytes |
SHA-256: fad6c8b0f6b9cb4d69c4b4742cee82b85612951a9846b29e7bed8523e7a55930 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.