Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1b7a9d210a450d57…

MALICIOUS

Office (OLE) / .DOC

2.13 MB First seen: 2022-05-24
MD5: c2b87a8f8422dcc2d7ffadfa9ac6b54a SHA-1: baaf60ced2a39289a7da5fd8afda33e4e25c9f4e SHA-256: 1b7a9d210a450d57972bfe54734c5d20a636a5b3b581d12c501eb9ad1b618dca
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The presence of an Equation Editor OLE object strongly suggests exploitation of a known vulnerability within that component. The GetPC stub heuristic further indicates code execution capabilities. While no specific document body text or scripts were extracted, the OLE object and associated heuristics point to a classic exploit delivery mechanism.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ECX)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
28d4308c2b40675cba44b8d32fbb3ff1466df6332f40a47890e422815dc781bf		 ole-package OLE Ole10Native stream: OlE10NAtIvE 2212664 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.