Office (OLE) / .XLS malware analysis — malicious · 408f686896c20e01

MALICIOUS

Office (OLE) / .XLS

149.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-10-24

MD5: cab0b8fc9b5c7109677ccaadc9b1863b SHA-1: ee7bc08bb8b134693f25cada5c8cd8eadf46fb8e SHA-256: 408f686896c20e01aff9c73606c2d5ba25549922c6cf205f21694035260fc72f

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE_2017_11882_EQUATION_OLE10NATIVE indicates the exploitation of a known vulnerability in Microsoft Equation Editor. This technique is commonly used to execute arbitrary code, often leading to the download and execution of further malicious payloads. The presence of an embedded OLE object further supports this attack vector.

Heuristics 2

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `50fcf7b8be648a96278a242182bc59275a24f621d9a4a218695bab7458af7a91`	ole-package	OLE Ole10Native stream: MBD014F0018/oLe10Native	1945 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.