MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office Word document containing an embedded OLE object identified as an Equation Editor exploit. This type of object is commonly used to deliver and execute malicious payloads. The presence of this exploit suggests the document is designed to leverage CVE-2017-11882 or a similar vulnerability for initial code execution.
Heuristics 3
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object word/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 4096 bytes |
SHA-256: 68fc4be567745f072fb52d5a5950209105a9de2fb9d918496d68d106e9e7c5a5 |
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native | 1798 bytes |
SHA-256: d5da2e7920ee493ab31b51a89840f974accb48dd0d3f9c264776218192429894 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.