Trusted Design

Microsoft Office OLE2Link vulnerability samples - a quick triage

概要

On April 7th 2017 Haifei Li published on the McAfee blog1 about a “Critical Office Zero-Day” in the wild. Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis. A further blog by FireEye titled “Acknowledgement of Attacks Leveraging Microsoft Zero-Day” provided additional useful information. During testing we were able to generate a number of proof-of-concept (PoC) documents both with and without a prompt to the user. It is likely the vulnerability will be documented in full detail over the coming days. Therefore we instead discuss a number of ways to detect and analyse these documents using freely available tools. This information may be useful to any incident responder or blue team looking to defend an organisation.

Created: 2026-02-23

Indicators

• IPv4 - 95.141.38.110 -
• FileHash-SHA256 - e9339747b31f576e6d4049696a4f4bd7053bcd29dafb0a7f2e55b8aab1539b67 -
• URL - http://107.170.240.244/download/omgrtf.doc -
• FileHash-SHA256 - a7fa6e64286134448b369e4241798907eb9afd01d4024d51bc3a2790c453dd15 -
• URL - http://46.102.152.129/template.doc -
• IPv4 - 95.46.99.199 -
• URL - http://95.141.38.110/mo/dnr/tmp/template.doc -
• FileHash-SHA256 - b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1 -
• IPv4 - 107.170.240.244 -
• YARA - 59c6ae4789f48ffaee613c3896622a5f1974a564 -
• FileHash-SHA256 - d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055 -
• FileHash-SHA256 - 5af7fe6b74cf91450961cdb7fc31919e4cb6e401b693d99d2f4956697c5cb8ad -
• FileHash-SHA256 - b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbd -
• URL - http://95.46.99.199/template.doc -
• FileHash-SHA256 - 3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5 -
• URL - http://212.86.115.71/template.doc -
• FileHash-SHA256 - 13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575 -
• IPv4 - 212.86.115.71 -
• IPv4 - 46.102.152.129 -
• URL - http://212.86.115.71/sage50.exe -
• FileHash-SHA256 - b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66 -
• FileHash-SHA256 - 14e4d9269304d5e92f300adfcc5cc4f65ead9b3898a3efbeac7e321ef3ca3b40 -
• FileHash-SHA256 - 4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fd -

類似Pulses

• CVE-2015-0097 Exploited in the Wild (score: 0.73)
• Ongoing analysis of unknown exploit targeting Office 2007-2013 (score: 0.69)
• MS Office exploit analysis – CVE-2015-1641 (score: 0.63)
• Microsoft Office Zero-Day CVE-2015-2424 Leveraged By Tsar Team (score: 0.63)
• The KeyBoys are back in town (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る