In the present quick analysis we are going to see some interesting metadata attributes related to a Exploit:XML/CVE-2017-0199.5a8d0e42 threat sample.
In the metadata attributes related to the author of the document we can have the evidence of "Grizli777" that is associated to illegal and pirated Office licenses:
The last modified time is 29th October 2025 at 09:16 (UTC).
Here we have details about the C&C domain via the URL shortener kt[.]mrmd[.]com:
The final URL is related to the malicious IP address 185[.]149[.]24[.]91, the associated URLs are malicious VBE and DOC downloaders:
In the metadata atributes analysis we can have evidence about equations related to sum functions:
With a threat intelligence analysis of the IP address 185[.]149[.]24[.]91 we can see it has the opened ports 21 (FTP), 25 (SMTP), 80 (HTTP), 110 (POP3), 135 (DCERPC), 139 (NETBIOS), 143 (IMAP), 443 (HTTP), 445 (SMB), 3306 (MYSQL), 3389 (RDP), 5985 (WINRM), 47001 (HTTP) and it has been registered by Kuroit Limited in USA:
The web server is behind Apache and XAMPP:
Here is some IP addresses with the same JARM thumbprint:
IOCs:
- fe0a0a2f3db724029a5c01bd54696c21
- 0d6460c8b1f65db4f57bb238f8974f09b0319781
- 58454d3fec94b61f7769fb6354b27c7d43c2a0288aecd4d007f17f24c4509015
- 185[.]149[.]24[.]91
- b0s00dfg090s90g0fgc90cv.dOc
- 0cb09b0s00dfg090s90g0fgc90cv.vbe
- JARM HTTPS: 2ad2ad16d2ad2ad00042d42d00000061256d32ed7779c14686ad100544dc8d
YARA rule:
rule ExploitXMLCVE201701995a8d0e42_31102025
{
strings:
$str = "WgeNuv?&----___-----___----g00gliss"
$hex = { 57 67 65 4e 75 76 3f 26 2d 2d 2d 2d 5f 5f 5f 2d 2d 2d 2d 2d 5f 5f 5f 2d 2d 2d 2d 67 30 30 67 6c 69 73 73 }
condition:
any of them
}