MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics and ClamAV detections confirm the presence of the CVE-2017-11882 vulnerability, which is exploited for client execution. The document body appears to be a benign budget template, suggesting the exploit is the primary malicious function.
Heuristics 4
-
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject1.bin | 4096 bytes |
SHA-256: 179bba7d342c2b34963d00a9dd92623087919b29fc4a294df80305d4f178979a |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4056 bytes |
SHA-256: 272937d3a78fa3875cee073b0c04a2f9c9438aaeed043eb1f9b18b8afa283def |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.