Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 81261952e0e2e0ea…

MALICIOUS

Office (OLE) / .DOC

1.16 MB First seen: 2022-06-29
MD5: 1bc46edd9bccf96382f643306c57cd92 SHA-1: b069a51c9221f98e46157eced8d4f0ece785ee9e SHA-256: 81261952e0e2e0ea31e3c9679099ac752810c530ffa11836b3840bd16c9c35de
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2018-0802 indicates the file exploits a vulnerability in the Equation Editor component of Microsoft Office. This vulnerability allows for arbitrary code execution when a specially crafted file is opened. The MTEF SIZE record anomaly further supports this finding.

Heuristics 3

  • CVE-2018-0802 — Equation Editor SIZE record overflow critical CVE likely CVE_2018_0802
    Equation Editor MTEF contains an exploit-sized SIZE record, the vulnerable parser path described for CVE-2018-0802. This is stronger evidence than Equation Editor activation alone because it identifies the malformed SIZE record primitive.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • MTEF SIZE record has implausibly large value high OLE_MTEF_SIZE_RECORD_ANOMALY
    Equation Editor MTEF SIZE record declares an explicit point size or delta far beyond legitimate equation text. CVE-2018-0802 abuses the SIZE parsing path; this catches that structural record shape without relying on a fixed ROP payload.