MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
The critical heuristic firing indicates the exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote content. The embedded URL 'https://cebol.me/zsXf68?&' is likely the source of the secondary payload. The presence of embedded PDF streams and font data suggests a complex document structure designed to facilitate the exploit.
Heuristics 2
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cebol.me/zsXf68?&
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off0001452b.binb0a7e7055d5b66edffe76c7b1f32ec80318d696df6181f1536f27aa69517872f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1452B | 566620 bytes |
stream_002_off000441fe.bin0d5715bfb4def94d644e408c5ed714ea2ac557b061d036e7fdcf0a2bf1c990e2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x441FE | 398152 bytes |
font_02_sfnt_off0005d2ce.binff37b045be3591e8cfbfa76f5dec51bee78deccafa1dc391d1edb36502c7f815 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D2CE | 346068 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.