MALICIOUS
62
Risk Score
Heuristics 2
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://192.3.176.235/www.hipaavault.comresourceshipaa-compliant-cloud-storage-secure-your-healthcare-datashipping.php In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
- http://www.extensis.com/meta/FontSense/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- https://learn.microsoft.com/en-us/typography/font-list/calibrihttp://lucasfonts.comMicrosoftIn document text (OLE body)
- http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_002_off0003143e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3143E | 589956 bytes |
SHA-256: f2951dec6c447226a46f2ef66a88bc53bfb49ea238f8aa11495e3f4412148c78 |
|||
stream_004_off00069a10.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x69A10 | 568384 bytes |
SHA-256: bed483098579cb54e4c46d7bc96a8f67fffdabfe857d073fce5794e26d65f738 |
|||
font_00_sfnt_off0001b10c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B10C | 345200 bytes |
SHA-256: 29b7877085b9d58ec1e86435cb951197bb010b6a5da0cc21fa45b808e6f3bf66 |
|||
font_02_sfnt_off0009c76a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9C76A | 345900 bytes |
SHA-256: a1605696cbb7129724ec887654f8e3b881348b214a6fb0c2d399f9e039e8702c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.