Office (OLE) / .DOC malware analysis — malicious · 0a9490f23496ef2d

MALICIOUS

Office (OLE) / .DOC

1012.5 KB First seen: 2022-10-29

MD5: 98eca36c753cd4379232516a7387cb4c SHA-1: 205494357fe5c6271a7d11d24c4d52101d747730 SHA-256: 0a9490f23496ef2d03391b185f2ea7ddb417f8d8fe7a7f81173036fa38853468

100 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The critical heuristic firing for CVE-2017_11882_EQUATION_OLE10NATIVE indicates the exploitation of a known vulnerability in Microsoft Equation Editor. This technique is commonly used to drop and execute a secondary payload, likely contained within the embedded OLE object. The lack of readable document body text prevents further analysis of the lure, but the exploit itself is sufficient evidence of malicious intent.

Heuristics 2

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `4cafff5ed1878d3dc0c3c64abc70deeb515552877b651710c2e4ea7c685ca44e`	ole-package	OLE Ole10Native stream: OLe10nATiVe	1026208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.