MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File: User Execution
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1559.002 Component Object Model and Distributed Component Object Model: OLE
The critical heuristic firing for CVE-2017-11882 indicates exploitation of the Equation Editor vulnerability. This is further supported by the suspicious cmd.exe invocation, which appears to be part of the exploit's payload execution. The command `cmd.exe /c%tmp%\Client.exe A` suggests the execution of a secondary executable named 'Client.exe' from the temporary directory.
Heuristics 3
-
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
Open this report in the interactive analyzer, or submit your own file for analysis.