Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 64e549e77a549fa5…

MALICIOUS

Office (OLE) / .DOC

971.5 KB First seen: 2022-12-14
MD5: 12c4f3fe62d83183e085b0bf64a4f8e6 SHA-1: 70e23e6fe9fa6d2fb02e814e5b5e69c1f284fc1d SHA-256: 64e549e77a549fa509a5378b186b77cfa038f7e7d22a68e0a403e61fa5a77cd2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample contains an embedded Equation Editor OLE object that is known to be vulnerable to CVE-2017-11882. This vulnerability allows for arbitrary code execution when the object is processed. The embedded payload, identified as 'oLe10naTive', is indicative of this exploit. The primary attack vector is likely the exploitation of this specific CVE.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
a22526b8f4cc598d78d94ce75ad7d73623d4ecd6f0546d6fc55fdcd397795a39		 ole-package OLE Ole10Native stream: oLe10naTive 984529 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.