MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an OOXML file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this Equation Editor object contains an anomalous Ole10Native stream, suggesting it carries a malicious payload. The presence of a NOP sled further supports the exploitation of a vulnerability for client execution. The document body content appears to be a list of part numbers and quantities, likely a lure.
Heuristics 4
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/mzu.UggZ8y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00003385 90 nop 00003386 90 nop 00003387 90 nop 00003388 90 nop 00003389 90 nop 0000338A 90 nop 0000338B 90 nop 0000338C 90 nop 0000338D 90 nop 0000338E 90 nop 0000338F 90 nop 00003390 90 nop 00003391 90 nop 00003392 90 nop 00003393 90 nop 00003394 90 nop 00003395 90 nop 00003396 90 nop 00003397 90 nop 00003398 90 nop 00003399 90 nop 0000339A 90 nop 0000339B 90 nop 0000339C 90 nop 0000339D 90 nop 0000339E 90 nop 0000339F 90 nop 000033A0 90 nop 000033A1 90 nop 000033A2 90 nop 000033A3 90 nop 000033A4 90 nop 000033A5 90 nop 000033A6 90 nop 000033A7 90 nop 000033A8 90 nop 000033A9 90 nop 000033AA 90 nop 000033AB 90 nop 000033AC 90 nop 000033AD 90 nop 000033AE 90 nop 000033AF 90 nop 000033B0 90 nop 000033B1 90 nop 000033B2 90 nop 000033B3 90 nop 000033B4 90 nop 000033B5 90 nop 000033B6 90 nop 000033B7 90 nop 000033B8 90 nop 000033B9 90 nop 000033BA 90 nop 000033BB 90 nop 000033BC 90 nop 000033BD 90 nop 000033BE 90 nop 000033BF 90 nop 000033C0 90 nop 000033C1 90 nop 000033C2 90 nop 000033C3 90 nop 000033C4 90 nop 000033C5 90 nop 000033C6 90 nop 000033C7 90 nop 000033C8 90 nop 000033C9 90 nop 000033CA 90 nop 000033CB 90 nop 000033CC 90 nop 000033CD 90 nop 000033CE 90 nop 000033CF 90 nop 000033D0 90 nop 000033D1 90 nop 000033D2 90 nop 000033D3 90 nop 000033D4 90 nop 000033D5 90 nop 000033D6 90 nop 000033D7 90 nop 000033D8 90 nop 000033D9 90 nop 000033DA 90 nop 000033DB 90 nop 000033DC 90 nop 000033DD 90 nop 000033DE 90 nop 000033DF 90 nop 000033E0 90 nop 000033E1 90 nop 000033E2 90 nop 000033E3 90 nop 000033E4 90 nop
-
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALYEmbedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/mzu.UggZ8y | 1046528 bytes |
SHA-256: 5485b956874fff34100f2795ce0fcca9c902f9875d6d4ae224b41a29aa091f95 |
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML xl/embeddings/mzu.UggZ8y Ole10Native stream: ole10NaTiVe | 1035834 bytes |
SHA-256: 771bd7a893cd1236eeb977bfdcd50d2c9488a3f16232843f8ecff4862eca2d09 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.