Office (OLE) / .DOC malware analysis — malicious · 0fb94db05cbbae56

MALICIOUS

Office (OLE) / .DOC

959.0 KB First seen: 2022-08-23

MD5: f904e2337fc98be239fd63f9bfcef93b SHA-1: a1a6c910684ace7619edb283c14aa85e4f4658d2 SHA-256: 0fb94db05cbbae56eb82384805f9a4b7737f7f411a396816f3c4b7a272276f4e

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample contains an embedded Equation Editor OLE object that is known to be used to exploit CVE-2017-11882. This vulnerability allows for arbitrary code execution when the document is opened. The presence of the 'OLE10nAtivE' payload strongly indicates exploitation of this specific vulnerability. No document body text or scripts were extracted, but the critical heuristic firing is sufficient for attribution.

Heuristics 3

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDX)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `922c538d5e65e16404ae0d342c7d2cd0c5c70f6d5e735a42609ff845fd45cdfd`	ole-package	OLE Ole10Native stream: OLE10nAtivE	971810 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.