Trusted Design

Microsoft Office OLE2Link vulnerability samples - a quick triage

概要

On April 7th 2017 Haifei Li published on the McAfee blog1 about a “Critical Office Zero-Day” in the wild. Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis. A further blog by FireEye titled “Acknowledgement of Attacks Leveraging Microsoft Zero-Day” provided additional useful information. During testing we were able to generate a number of proof-of-concept (PoC) documents both with and without a prompt to the user. It is likely the vulnerability will be documented in full detail over the coming days. Therefore we instead discuss a number of ways to detect and analyse these documents using freely available tools. This information may be useful to any incident responder or blue team looking to defend an organisation.

Created: 2026-02-23

Indicators

類似Pulses

CVE-2015-0097 Exploited in the Wild (score: 0.73)
Ongoing analysis of unknown exploit targeting Office 2007-2013 (score: 0.69)
MS Office exploit analysis – CVE-2015-1641 (score: 0.63)
Microsoft Office Zero-Day CVE-2015-2424 Leveraged By Tsar Team (score: 0.63)
The KeyBoys are back in town (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

APT28

Score: 30.13

Matched TTPs:

T1110.001 - Password Guessing
T1559.002 - Dynamic Data Exchange
T1583.006 - Web Services
T1498 - Network Denial of Service
T1221 - Template Injection
T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer
T1137.002 - Office Test
T1204.001 - Malicious Link
T1550.001 - Application Access Token

MITREへのリンク →

APT29

Score: 12.13

Matched TTPs:

T1110.001 - Password Guessing
T1550.003 - Pass the Ticket
T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Cobalt Group

Score: 4.88

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

FIN7

Score: 6.90

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

MuddyWater

Score: 11.43

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1137.001 - Office Template Macros
T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Sidewinder

Score: 4.88

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

APT37

Score: 3.52

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer

MITREへのリンク →

Leviathan

Score: 4.88

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

BITTER

Score: 3.52

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer

MITREへのリンク →

TA505

Score: 4.88

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Patchwork

Score: 4.88

Matched TTPs:

T1559.002 - Dynamic Data Exchange
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Sandworm Team

Score: 5.98

Matched TTPs:

T1588.006 - Vulnerabilities
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Volt Typhoon

Score: 7.91

Matched TTPs:

T1588.006 - Vulnerabilities
T1217 - Browser Information Discovery
T1105 - Ingress Tool Transfer

MITREへのリンク →

Storm-0501

Score: 7.98

Matched TTPs:

T1588.006 - Vulnerabilities
T1556.009 - Conditional Access Policies

MITREへのリンク →

Medusa Group

Score: 6.92

Matched TTPs:

T1608.002 - Upload Tool
T1583.006 - Web Services
T1105 - Ingress Tool Transfer

MITREへのリンク →

Threat Group-3390

Score: 4.91

Matched TTPs:

T1608.002 - Upload Tool
T1105 - Ingress Tool Transfer

MITREへのリンク →

Fox Kitten

Score: 4.06

Matched TTPs:

T1217 - Browser Information Discovery
T1105 - Ingress Tool Transfer

MITREへのリンク →

APT38

Score: 9.96

Matched TTPs:

T1217 - Browser Information Discovery
T1036.006 - Space after Filename
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Scattered Spider

Score: 8.19

Matched TTPs:

T1217 - Browser Information Discovery
T1556.009 - Conditional Access Policies
T1105 - Ingress Tool Transfer

MITREへのリンク →

Moonstone Sleet

Score: 4.06

Matched TTPs:

T1217 - Browser Information Discovery
T1105 - Ingress Tool Transfer

MITREへのリンク →

Chimera

Score: 6.81

Matched TTPs:

T1217 - Browser Information Discovery
T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer

MITREへのリンク →

APT32

Score: 10.74

Matched TTPs:

T1550.003 - Pass the Ticket
T1583.006 - Web Services
T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

BRONZE BUTLER

Score: 4.62

Matched TTPs:

T1550.003 - Pass the Ticket
T1105 - Ingress Tool Transfer

MITREへのリンク →

Earth Lusca

Score: 3.37

Matched TTPs:

T1583.006 - Web Services
T1204.001 - Malicious Link

MITREへのリンク →

HAFNIUM

Score: 6.92

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1550.001 - Application Access Token

MITREへのリンク →

Contagious Interview

Score: 3.37

Matched TTPs:

T1583.006 - Web Services
T1204.001 - Malicious Link

MITREへのリンク →

Mustang Panda

Score: 8.69

Matched TTPs:

T1583.006 - Web Services
T1678 - Delay Execution
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Turla

Score: 4.15

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

ZIRCONIUM

Score: 4.15

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Confucius

Score: 7.30

Matched TTPs:

T1583.006 - Web Services
T1221 - Template Injection
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Gamaredon Group

Score: 7.30

Matched TTPs:

T1583.006 - Web Services
T1221 - Template Injection
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Saint Bear

Score: 3.37

Matched TTPs:

T1583.006 - Web Services
T1204.001 - Malicious Link

MITREへのリンク →

Kimsuky

Score: 6.90

Matched TTPs:

T1583.006 - Web Services
T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

TA578

Score: 3.37

Matched TTPs:

T1583.006 - Web Services
T1204.001 - Malicious Link

MITREへのリンク →

TA2541

Score: 4.15

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

Magic Hound

Score: 4.15

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

LazyScripter

Score: 4.15

Matched TTPs:

T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

RedCurl

Score: 5.49

Matched TTPs:

T1056.002 - GUI Input Capture
T1204.001 - Malicious Link

MITREへのリンク →

FIN4

Score: 5.49

Matched TTPs:

T1056.002 - GUI Input Capture
T1204.001 - Malicious Link

MITREへのリンク →

Dragonfly

Score: 3.93

Matched TTPs:

T1221 - Template Injection
T1105 - Ingress Tool Transfer

MITREへのリンク →

Tropic Trooper

Score: 3.93

Matched TTPs:

T1221 - Template Injection
T1105 - Ingress Tool Transfer

MITREへのリンク →

Inception

Score: 3.15

Matched TTPs:

T1221 - Template Injection

MITREへのリンク →

DarkHydrus

Score: 3.15

Matched TTPs:

T1221 - Template Injection

MITREへのリンク →

Aquatic Panda

Score: 3.52

Matched TTPs:

T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer

MITREへのリンク →

Wizard Spider

Score: 4.88

Matched TTPs:

T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer
T1204.001 - Malicious Link

MITREへのリンク →

APT41

Score: 3.52

Matched TTPs:

T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer

MITREへのリンク →

FIN13

Score: 3.52

Matched TTPs:

T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer

MITREへのリンク →

GALLIUM

Score: 3.52

Matched TTPs:

T1550.002 - Pass the Hash
T1105 - Ingress Tool Transfer

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT28

Score: 0.81

Matched TTPs:

T1137.002 - Office Test
T1221 - Template Injection
T1204.001 - Malicious Link
T1583.006 - Web Services
T1105 - Ingress Tool Transfer
T1110.001 - Password Guessing
T1559.002 - Dynamic Data Exchange
T1498 - Network Denial of Service
T1550.002 - Pass the Hash
T1550.001 - Application Access Token

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る