Office (OLE) / .DOC malware analysis — malicious · 7e18cd644a1035a1

MALICIOUS

Office (OLE) / .DOC

876.0 KB First seen: 2022-08-24

MD5: c21f985b42177b0a9843ba65ffe0c5c8 SHA-1: 53de9b57269a7724ab15ab74e73bdccad41750d8 SHA-256: 7e18cd644a1035a1385b076f43e4e24ed98f4c9837fa34cc29aaef7aa2ac22f1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017_11882_EQUATION_OLE10NATIVE indicates that this document contains a malicious payload exploiting the Equation Editor vulnerability. The presence of an OLE object containing Equation Editor data further supports this finding. The file is a malicious Office document designed to exploit this specific vulnerability for initial execution.

Heuristics 3

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP ECX)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `89417daffd6284d7c9455ba6a6e7ac4eb6c80421997aafa0a6a27ce38a355613`	ole-package	OLE Ole10Native stream: OLE10NaTIVE	887355 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.