misp-circl-feed/feeds/circl/stix-2.1/582ab1cc-31a4-48f2-a0a1-4966950d210f.json

{
    "type": "bundle",
    "id": "bundle--582ab1cc-31a4-48f2-a0a1-4966950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:02:13.000Z",
            "modified": "2016-11-15T07:02:13.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--582ab1cc-31a4-48f2-a0a1-4966950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:02:13.000Z",
            "modified": "2016-11-15T07:02:13.000Z",
            "name": "OSINT - Microsoft Word Intruder 8 Adds Support for Flash Vulnerability CVE-2016-4117",
            "published": "2016-11-15T07:04:26Z",
            "object_refs": [
                "x-misp-attribute--582ab1de-24d4-49bc-b75e-4aee950d210f",
                "observed-data--582ab1ec-2cac-44d1-a284-4fa9950d210f",
                "url--582ab1ec-2cac-44d1-a284-4fa9950d210f",
                "indicator--582ab214-96fc-4872-a0d4-4571950d210f",
                "indicator--582ab215-1988-4420-8ee4-4a91950d210f",
                "indicator--582ab23d-ee90-448e-94af-4c7b950d210f",
                "indicator--582ab23e-0b44-4061-a5a7-4a22950d210f",
                "indicator--582ab280-d74c-4b25-9ba9-488d950d210f",
                "indicator--582ab280-a654-4b43-8965-46e0950d210f",
                "indicator--582ab280-93d0-4e65-9a53-4c44950d210f",
                "indicator--582ab2b2-f1ec-4afd-a1fe-4bab950d210f",
                "indicator--582ab2e2-7224-44bb-bde5-45c702de0b81",
                "indicator--582ab2e2-04d8-4350-9034-47f202de0b81",
                "observed-data--582ab2e2-ac44-4d94-b15a-49fa02de0b81",
                "url--582ab2e2-ac44-4d94-b15a-49fa02de0b81",
                "indicator--582ab2e2-d8f4-4280-a6b7-496902de0b81",
                "indicator--582ab2e2-f818-40da-baa0-4cec02de0b81",
                "observed-data--582ab2e3-dcb8-41a5-a5c6-434802de0b81",
                "url--582ab2e3-dcb8-41a5-a5c6-434802de0b81",
                "vulnerability--582ab2f5-a354-4ca8-981e-49c1950d210f"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "ms-caro-malware:malware-type=\"Exploit\"",
                "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--582ab1de-24d4-49bc-b75e-4aee950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:57:34.000Z",
            "modified": "2016-11-15T06:57:34.000Z",
            "labels": [
                "misp:type=\"comment\"",
                "misp:category=\"External analysis\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "comment",
            "x_misp_value": "Microsoft Word Intruder (MWI) is a kit designed for building malicious Microsoft Word documents for use in targeted attacks. The most recent iteration of MWI - Version 8 - supports a wide variety of vulnerabilities that actors can exploit via crafted Microsoft Word documents. Available on underground markets since 2013, we first identified MWI in March 2015 [1]. FireEye [2] and Sophos [3] provided additional documentation of the kit later that year.\r\n\r\nIn the mid-July 2016, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 21.0.0.213). At the end of August, MWI incremented to version 8, with the message \u00e2\u20ac\u0153MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158\u00e2\u20ac\u009d in an advertisement for the new version (see Appendix).\r\n\r\nWe were able to observe this updated version in the wild dropping various payloads; for example, we saw it dropping RTM Banker on October 21. In this case, the document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009d was delivered via email and targeted at retail, financial, and manufacturing verticals."
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--582ab1ec-2cac-44d1-a284-4fa9950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:57:48.000Z",
            "modified": "2016-11-15T06:57:48.000Z",
            "first_observed": "2016-11-15T06:57:48Z",
            "last_observed": "2016-11-15T06:57:48Z",
            "number_observed": 1,
            "object_refs": [
                "url--582ab1ec-2cac-44d1-a284-4fa9950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--582ab1ec-2cac-44d1-a284-4fa9950d210f",
            "value": "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-vulnerability"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab214-96fc-4872-a0d4-4571950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:58:28.000Z",
            "modified": "2016-11-15T06:58:28.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker",
            "pattern": "[file:hashes.SHA256 = 'a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T06:58:28Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab215-1988-4420-8ee4-4a91950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:58:29.000Z",
            "modified": "2016-11-15T06:58:29.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT",
            "pattern": "[file:hashes.SHA256 = 'fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T06:58:29Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab23d-ee90-448e-94af-4c7b950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:59:09.000Z",
            "modified": "2016-11-15T06:59:09.000Z",
            "description": "MWI8 C2",
            "pattern": "[domain-name:value = 'bibi.pro']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T06:59:09Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab23e-0b44-4061-a5a7-4a22950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T06:59:10.000Z",
            "modified": "2016-11-15T06:59:10.000Z",
            "description": "RTM C2",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.71.117']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T06:59:10Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab280-d74c-4b25-9ba9-488d950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:00:16.000Z",
            "modified": "2016-11-15T07:00:16.000Z",
            "description": "MWI8 C2",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.146.37.202']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:00:16Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab280-a654-4b43-8965-46e0950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:00:16.000Z",
            "modified": "2016-11-15T07:00:16.000Z",
            "description": "MWI8 C2",
            "pattern": "[domain-name:value = 'pink.publicvm.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:00:16Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"hostname\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab280-93d0-4e65-9a53-4c44950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:00:16.000Z",
            "modified": "2016-11-15T07:00:16.000Z",
            "description": "MWI8 C2",
            "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.80.32']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:00:16Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"ip-dst\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab2b2-f1ec-4afd-a1fe-4bab950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:06.000Z",
            "modified": "2016-11-15T07:01:06.000Z",
            "description": "MWI8 C2",
            "pattern": "[domain-name:value = 'take5market.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:01:06Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab2e2-7224-44bb-bde5-45c702de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:54.000Z",
            "modified": "2016-11-15T07:01:54.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9",
            "pattern": "[file:hashes.SHA1 = 'bbb813b77ecd9c96744a8766f458643a25c29e6c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:01:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab2e2-04d8-4350-9034-47f202de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:54.000Z",
            "modified": "2016-11-15T07:01:54.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9",
            "pattern": "[file:hashes.MD5 = '3faf65de1d15e606f76e5cd0a7739099']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:01:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--582ab2e2-ac44-4d94-b15a-49fa02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:54.000Z",
            "modified": "2016-11-15T07:01:54.000Z",
            "first_observed": "2016-11-15T07:01:54Z",
            "last_observed": "2016-11-15T07:01:54Z",
            "number_observed": 1,
            "object_refs": [
                "url--582ab2e2-ac44-4d94-b15a-49fa02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--582ab2e2-ac44-4d94-b15a-49fa02de0b81",
            "value": "https://www.virustotal.com/file/fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9/analysis/1476772587/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab2e2-d8f4-4280-a6b7-496902de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:54.000Z",
            "modified": "2016-11-15T07:01:54.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c",
            "pattern": "[file:hashes.SHA1 = '497c0ac63e9b4a7e728bba270aa4fcd0149ae968']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:01:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--582ab2e2-f818-40da-baa0-4cec02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:54.000Z",
            "modified": "2016-11-15T07:01:54.000Z",
            "description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c",
            "pattern": "[file:hashes.MD5 = '138b7ca6bd6a0e268dd847c04b84995a']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2016-11-15T07:01:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--582ab2e3-dcb8-41a5-a5c6-434802de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:01:55.000Z",
            "modified": "2016-11-15T07:01:55.000Z",
            "first_observed": "2016-11-15T07:01:55Z",
            "last_observed": "2016-11-15T07:01:55Z",
            "number_observed": 1,
            "object_refs": [
                "url--582ab2e3-dcb8-41a5-a5c6-434802de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--582ab2e3-dcb8-41a5-a5c6-434802de0b81",
            "value": "https://www.virustotal.com/file/a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c/analysis/1478789049/"
        },
        {
            "type": "vulnerability",
            "spec_version": "2.1",
            "id": "vulnerability--582ab2f5-a354-4ca8-981e-49c1950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2016-11-15T07:02:13.000Z",
            "modified": "2016-11-15T07:02:13.000Z",
            "name": "CVE-2016-4117",
            "labels": [
                "misp:type=\"vulnerability\"",
                "misp:category=\"Payload delivery\""
            ],
            "external_references": [
                {
                    "source_name": "cve",
                    "external_id": "CVE-2016-4117"
                }
            ]
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}
chg: [misp-stix] STIX 2.1 export added 2023-04-21 14:44:17 +00:00			`{`
			`"type": "bundle",`
			`"id": "bundle--582ab1cc-31a4-48f2-a0a1-4966950d210f",`
			`"objects": [`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:02:13.000Z",`
			`"modified": "2016-11-15T07:02:13.000Z",`
			`"name": "CIRCL",`
			`"identity_class": "organization"`
			`},`
			`{`
			`"type": "report",`
			`"spec_version": "2.1",`
			`"id": "report--582ab1cc-31a4-48f2-a0a1-4966950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:02:13.000Z",`
			`"modified": "2016-11-15T07:02:13.000Z",`
			`"name": "OSINT - Microsoft Word Intruder 8 Adds Support for Flash Vulnerability CVE-2016-4117",`
			`"published": "2016-11-15T07:04:26Z",`
			`"object_refs": [`
			`"x-misp-attribute--582ab1de-24d4-49bc-b75e-4aee950d210f",`
			`"observed-data--582ab1ec-2cac-44d1-a284-4fa9950d210f",`
			`"url--582ab1ec-2cac-44d1-a284-4fa9950d210f",`
			`"indicator--582ab214-96fc-4872-a0d4-4571950d210f",`
			`"indicator--582ab215-1988-4420-8ee4-4a91950d210f",`
			`"indicator--582ab23d-ee90-448e-94af-4c7b950d210f",`
			`"indicator--582ab23e-0b44-4061-a5a7-4a22950d210f",`
			`"indicator--582ab280-d74c-4b25-9ba9-488d950d210f",`
			`"indicator--582ab280-a654-4b43-8965-46e0950d210f",`
			`"indicator--582ab280-93d0-4e65-9a53-4c44950d210f",`
			`"indicator--582ab2b2-f1ec-4afd-a1fe-4bab950d210f",`
			`"indicator--582ab2e2-7224-44bb-bde5-45c702de0b81",`
			`"indicator--582ab2e2-04d8-4350-9034-47f202de0b81",`
			`"observed-data--582ab2e2-ac44-4d94-b15a-49fa02de0b81",`
			`"url--582ab2e2-ac44-4d94-b15a-49fa02de0b81",`
			`"indicator--582ab2e2-d8f4-4280-a6b7-496902de0b81",`
			`"indicator--582ab2e2-f818-40da-baa0-4cec02de0b81",`
			`"observed-data--582ab2e3-dcb8-41a5-a5c6-434802de0b81",`
			`"url--582ab2e3-dcb8-41a5-a5c6-434802de0b81",`
			`"vulnerability--582ab2f5-a354-4ca8-981e-49c1950d210f"`
			`],`
			`"labels": [`
			`"Threat-Report",`
			`"misp:tool=\"MISP-STIX-Converter\"",`
			`"ms-caro-malware:malware-type=\"Exploit\"",`
			`"enisa:nefarious-activity-abuse=\"exploits-exploit-kits\""`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"`
			`]`
			`},`
			`{`
			`"type": "x-misp-attribute",`
			`"spec_version": "2.1",`
			`"id": "x-misp-attribute--582ab1de-24d4-49bc-b75e-4aee950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:57:34.000Z",`
			`"modified": "2016-11-15T06:57:34.000Z",`
			`"labels": [`
			`"misp:type=\"comment\"",`
			`"misp:category=\"External analysis\""`
			`],`
			`"x_misp_category": "External analysis",`
			`"x_misp_type": "comment",`
			"x_misp_value": "Microsoft Word Intruder (MWI) is a kit designed for building malicious Microsoft Word documents for use in targeted attacks. The most recent iteration of MWI - Version 8 - supports a wide variety of vulnerabilities that actors can exploit via crafted Microsoft Word documents. Available on underground markets since 2013, we first identified MWI in March 2015 [1]. FireEye [2] and Sophos [3] provided additional documentation of the kit later that year.\r\n\r\nIn the mid-July 2016, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 21.0.0.213). At the end of August, MWI incremented to version 8, with the message \u00e2\u20ac\u0153MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158\u00e2\u20ac\u009d in an advertisement for the new version (see Appendix).\r\n\r\nWe were able to observe this updated version in the wild dropping various payloads; for example, we saw it dropping RTM Banker on October 21. In this case, the document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009d was delivered via email and targeted at retail, financial, and manufacturing verticals."
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--582ab1ec-2cac-44d1-a284-4fa9950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:57:48.000Z",`
			`"modified": "2016-11-15T06:57:48.000Z",`
			`"first_observed": "2016-11-15T06:57:48Z",`
			`"last_observed": "2016-11-15T06:57:48Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--582ab1ec-2cac-44d1-a284-4fa9950d210f"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--582ab1ec-2cac-44d1-a284-4fa9950d210f",`
			`"value": "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-vulnerability"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab214-96fc-4872-a0d4-4571950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:58:28.000Z",`
			`"modified": "2016-11-15T06:58:28.000Z",`
			`"description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker",`
			`"pattern": "[file:hashes.SHA256 = 'a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T06:58:28Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab215-1988-4420-8ee4-4a91950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:58:29.000Z",`
			`"modified": "2016-11-15T06:58:29.000Z",`
			`"description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT",`
			`"pattern": "[file:hashes.SHA256 = 'fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T06:58:29Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab23d-ee90-448e-94af-4c7b950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:59:09.000Z",`
			`"modified": "2016-11-15T06:59:09.000Z",`
			`"description": "MWI8 C2",`
			`"pattern": "[domain-name:value = 'bibi.pro']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T06:59:09Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"domain\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab23e-0b44-4061-a5a7-4a22950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T06:59:10.000Z",`
			`"modified": "2016-11-15T06:59:10.000Z",`
			`"description": "RTM C2",`
			`"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.71.117']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T06:59:10Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"ip-dst\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab280-d74c-4b25-9ba9-488d950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:00:16.000Z",`
			`"modified": "2016-11-15T07:00:16.000Z",`
			`"description": "MWI8 C2",`
			`"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.146.37.202']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:00:16Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"ip-dst\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab280-a654-4b43-8965-46e0950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:00:16.000Z",`
			`"modified": "2016-11-15T07:00:16.000Z",`
			`"description": "MWI8 C2",`
			`"pattern": "[domain-name:value = 'pink.publicvm.com']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:00:16Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"hostname\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab280-93d0-4e65-9a53-4c44950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:00:16.000Z",`
			`"modified": "2016-11-15T07:00:16.000Z",`
			`"description": "MWI8 C2",`
			`"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.80.32']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:00:16Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"ip-dst\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab2b2-f1ec-4afd-a1fe-4bab950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:06.000Z",`
			`"modified": "2016-11-15T07:01:06.000Z",`
			`"description": "MWI8 C2",`
			`"pattern": "[domain-name:value = 'take5market.com']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:01:06Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Network activity"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"domain\"",`
			`"misp:category=\"Network activity\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab2e2-7224-44bb-bde5-45c702de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:54.000Z",`
			`"modified": "2016-11-15T07:01:54.000Z",`
			"description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9",
			`"pattern": "[file:hashes.SHA1 = 'bbb813b77ecd9c96744a8766f458643a25c29e6c']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:01:54Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab2e2-04d8-4350-9034-47f202de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:54.000Z",`
			`"modified": "2016-11-15T07:01:54.000Z",`
			"description": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9",
			`"pattern": "[file:hashes.MD5 = '3faf65de1d15e606f76e5cd0a7739099']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:01:54Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--582ab2e2-ac44-4d94-b15a-49fa02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:54.000Z",`
			`"modified": "2016-11-15T07:01:54.000Z",`
			`"first_observed": "2016-11-15T07:01:54Z",`
			`"last_observed": "2016-11-15T07:01:54Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--582ab2e2-ac44-4d94-b15a-49fa02de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--582ab2e2-ac44-4d94-b15a-49fa02de0b81",`
			`"value": "https://www.virustotal.com/file/fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9/analysis/1476772587/"`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab2e2-d8f4-4280-a6b7-496902de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:54.000Z",`
			`"modified": "2016-11-15T07:01:54.000Z",`
			`"description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c",`
			`"pattern": "[file:hashes.SHA1 = '497c0ac63e9b4a7e728bba270aa4fcd0149ae968']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:01:54Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha1\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--582ab2e2-f818-40da-baa0-4cec02de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:54.000Z",`
			`"modified": "2016-11-15T07:01:54.000Z",`
			`"description": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c",`
			`"pattern": "[file:hashes.MD5 = '138b7ca6bd6a0e268dd847c04b84995a']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2016-11-15T07:01:54Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"md5\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "observed-data",`
			`"spec_version": "2.1",`
			`"id": "observed-data--582ab2e3-dcb8-41a5-a5c6-434802de0b81",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:01:55.000Z",`
			`"modified": "2016-11-15T07:01:55.000Z",`
			`"first_observed": "2016-11-15T07:01:55Z",`
			`"last_observed": "2016-11-15T07:01:55Z",`
			`"number_observed": 1,`
			`"object_refs": [`
			`"url--582ab2e3-dcb8-41a5-a5c6-434802de0b81"`
			`],`
			`"labels": [`
			`"misp:type=\"link\"",`
			`"misp:category=\"External analysis\""`
			`]`
			`},`
			`{`
			`"type": "url",`
			`"spec_version": "2.1",`
			`"id": "url--582ab2e3-dcb8-41a5-a5c6-434802de0b81",`
			`"value": "https://www.virustotal.com/file/a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c/analysis/1478789049/"`
			`},`
			`{`
			`"type": "vulnerability",`
			`"spec_version": "2.1",`
			`"id": "vulnerability--582ab2f5-a354-4ca8-981e-49c1950d210f",`
			`"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",`
			`"created": "2016-11-15T07:02:13.000Z",`
			`"modified": "2016-11-15T07:02:13.000Z",`
			`"name": "CVE-2016-4117",`
			`"labels": [`
			`"misp:type=\"vulnerability\"",`
			`"misp:category=\"Payload delivery\""`
			`],`
			`"external_references": [`
			`{`
			`"source_name": "cve",`
			`"external_id": "CVE-2016-4117"`
			`}`
			`]`
			`},`
			`{`
			`"type": "marking-definition",`
			`"spec_version": "2.1",`
			`"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",`
			`"created": "2017-01-20T00:00:00.000Z",`
			`"definition_type": "tlp",`
			`"name": "TLP:WHITE",`
			`"definition": {`
			`"tlp": "white"`
			`}`
			`}`
			`]`
			`}`