Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5048d2b2c4745432…

MALICIOUS

Office (OLE) / .DOC

992.5 KB First seen: 2022-07-19
MD5: df82e854e516c43b57a317f293d5a225 SHA-1: dd8bdbe0fcd2ba80cfd3979bde02f34d12c13054 SHA-256: 5048d2b2c4745432f75758b142d7769fdc46ba47ac9c94e0735d8c6448a8574d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a critical heuristic firing for CVE-2017_11882_EQUATION_OLE10NATIVE, indicating the exploitation of a known vulnerability in Microsoft Equation Editor. The presence of an OLE object and the 'Password-protected archive handoff' heuristic suggest the document is designed to trick the user into opening a password-protected archive, likely containing a secondary payload. No scripts were extracted, and the document body was truncated, limiting further analysis.

Heuristics 4

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
6eb9d2d0274d26b59da77e852868f8f639697dfb7ac019bf2cd2f0605287d314		 ole-package OLE Ole10Native stream: OlE10NAtIVE 1006080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.