MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample contains an Equation Editor OLE object and triggers critical heuristics related to CVE-2018-0802, indicating exploitation of a vulnerability for client execution. The presence of an OLE object within a document suggests it was likely delivered as a spearphishing attachment.
Heuristics 3
-
CVE-2018-0802 — Equation Editor SIZE record overflow critical CVE likely CVE_2018_0802Equation Editor MTEF contains an exploit-sized SIZE record, the vulnerable parser path described for CVE-2018-0802. This is stronger evidence than Equation Editor activation alone because it identifies the malformed SIZE record primitive.
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
MTEF SIZE record has implausibly large value high OLE_MTEF_SIZE_RECORD_ANOMALYEquation Editor MTEF SIZE record declares an explicit point size or delta far beyond legitimate equation text. CVE-2018-0802 abuses the SIZE parsing path; this catches that structural record shape without relying on a fixed ROP payload.
Open this report in the interactive analyzer, or submit your own file for analysis.