MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The critical heuristic firing for CVE-2018-0802 indicates the file exploits a vulnerability in the Equation Editor component of Microsoft Office. This vulnerability allows for arbitrary code execution when a specially crafted file is opened. The MTEF SIZE record anomaly further supports this finding.
Heuristics 3
-
CVE-2018-0802 — Equation Editor SIZE record overflow critical CVE likely CVE_2018_0802Equation Editor MTEF contains an exploit-sized SIZE record, the vulnerable parser path described for CVE-2018-0802. This is stronger evidence than Equation Editor activation alone because it identifies the malformed SIZE record primitive.
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
MTEF SIZE record has implausibly large value high OLE_MTEF_SIZE_RECORD_ANOMALYEquation Editor MTEF SIZE record declares an explicit point size or delta far beyond legitimate equation text. CVE-2018-0802 abuses the SIZE parsing path; this catches that structural record shape without relying on a fixed ROP payload.
Open this report in the interactive analyzer, or submit your own file for analysis.