MALICIOUS
108
Risk Score
Heuristics 6
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
VBA project contains no executable statements info OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://000030000626436/eiisweeoocuconomictimes.indiatimes.com.php?id=newsnew-updatesindia-set-to-get-first-private-gold-mine-today-all-about-andhra-pradeshs-swarnagiri-project-that-can-produces In document text (OLE body)
- http://192.3.45.30/eiisweeoocuconomictimes.indiatimes.com.php?id=newsnew-updatesindia-set-to-get-first-private-gold-mine-today-all-about-andhra-pradeshs-swarnagiri-project-that-can-producesDecoded from obfuscated IP host (000030000626436)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2412 bytes |
SHA-256: 1d3b71b8c6234aace88f31f6e674b07383e015a2e68993dcd4fc2526aa470fe5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
stream_034_off0001c419.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1C419 | 4657 bytes |
SHA-256: 2d33f6487cf7c944ae8d88f5d2db061eecfc10de8c96a74cc9d5d3189c5f87b5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
|
|||
stream_040_off00020a9a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x20A9A | 4824 bytes |
SHA-256: 6f1847071d0a717615b56a7c408f68dccb0f2fbe399bcedcad0b4b243de1a4fe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
font_00_sfnt_off00001e72.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1E72 | 14684 bytes |
SHA-256: 3d5ef4c0eea3290cc6d42ebaac04c77d2fe5a4fc25a17c0233bc360a426d86b6 |
|||
font_01_cff_off00003f5e.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x3F5E | 660 bytes |
SHA-256: a6edf414c72392d4da5aeacd123abd40fc18be7ae90fbe761a92c3939d7207db |
|||
font_02_sfnt_off0000430b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x430B | 10088 bytes |
SHA-256: 00990978137e201bac9eb23be7c5b941499254e04f4f51edbe8db3360841f7f8 |
|||
font_03_sfnt_off0000d4bd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD4BD | 52420 bytes |
SHA-256: 8117d1dc40a48be386da0951f62c5470ebee844bad91541e56260ebd568e0446 |
|||
font_04_cff_off00014583.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x14583 | 4980 bytes |
SHA-256: 5d7d34c425b6bab2bb07d4ce1888662343f89fe8e5cdd1c7ddf331e720075cc9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
font_05_cff_off00018c58.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x18C58 | 695 bytes |
SHA-256: c0bcc76c0c443637c58b8fa95dfb9fc3095c30e1da8fbeef908115f71bc4576c |
|||
polyglot_child_pdf_off00034c00.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x34C00 | 463872 bytes |
SHA-256: 488575a6ec8a3182dbd648f3d592dbcf8490ff1bbb40f36b9faaebdf1c4de64c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.