Office (OLE) / .XLSX malware analysis — malicious · 33a038480dc2e548

MALICIOUS

Office (OLE) / .XLSX

215.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-10-31

MD5: b36dae270745b6f5a537d200ef244110 SHA-1: 42414f549c50baf20c0805485830ab97ed908135 SHA-256: 33a038480dc2e54840c96ff3760ced30dd8783cc0cd58b9c1a3c057234bd2539

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing for CVE_2017_11882_EQUATION_OLE10NATIVE clearly indicates exploitation of this known vulnerability. The presence of an Equation Editor OLE object further supports this finding. The exact payload and its subsequent actions are not detailed, but the exploitation method is evident.

Heuristics 2

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `e3008b40f01c7edde60acbc8793d7f75dfabc995d168b7d15e97ae81659e3c0e`	ole-package	OLE Ole10Native stream: MBD03666CBA/Ole10NATive	1482 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.