Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4d08b5983d47e4e9…

MALICIOUS

Office (OLE) / .XLS

152.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-02-14
MD5: 46d3c7d3603c734d18fb9c1001687277 SHA-1: c8460d7ec9751b63b8b5dfe6f358c37e0dd6e075 SHA-256: 4d08b5983d47e4e98391a90f216a755b09739ae63e9d1c4216d2a5493c8467b7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The critical heuristic firing for CVE_2017_11882_EQUATION_OLE10NATIVE indicates the exploitation of a known vulnerability in Microsoft Equation Editor. This suggests the file is designed to deliver a secondary payload upon opening, leveraging the Equation Editor object to achieve code execution. No document body or script content was available for further analysis.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
47caf3df4606e57ba7e382c1cb2364f80d630d32a17d2fe6de65ec73ab8fe7fa		 ole-package OLE Ole10Native stream: MBD012088C9/olE10NAtIVE 1688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.