Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4afa346c91126557…

MALICIOUS

Office (OLE) / .DOC

4.0 KB First seen: 2026-05-11
MD5: f126c6112937d976c79cbbb7d1647029 SHA-1: bafed6c922be8ddd9477ce0375d52423aee3d609 SHA-256: 4afa346c911265579f725ee9c422111fd95a0332702fec9b03ee547dc03f4797
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The presence of an Equation Editor OLE object is a strong indicator of an attempted exploit. While VBA macros could not be extracted due to an unsupported format, the OLE object itself points to a potential exploitation vector. Further analysis would be needed to determine the specific vulnerability targeted and the subsequent payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URL
    The shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://v1249.dh.net.ua/first/agent.exe In document text (OLE body)
    • http://000030000706151In document text (OLE body)
    • http://192.3.140.105Decoded from obfuscated IP host (000030000706151)

Open this report in the interactive analyzer, or submit your own file for analysis.