Office (OLE) malware analysis — malicious · 8233298f8cf85afa

MALICIOUS

Office (OLE)

815.5 KB Created: 2002-02-26 11:23:00 Authoring application: Microsoft Word 9.0 First seen: 2018-06-25

MD5: 527429f8528f427ea447672f4e602496 SHA-1: ee249a918d00771edd1bf5e021ace6515caac0a6 SHA-256: 8233298f8cf85afa76efb3f7db2f08e2d9ba95257307c119e6c923a3c09121ec

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample contains an embedded Equation Editor OLE object that is known to exploit the CVE-2017-11882 vulnerability. This vulnerability allows for the execution of arbitrary code when the object is loaded, leading to a malicious payload being dropped.

Heuristics 2

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229315/Ole10Native	68 bytes
SHA-256: `c0195eedfe19ec09a60f15b8775da888ea6f3e4113cc0fec15ba0d8da9acb0e2`
`ole10native_01.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229318/Ole10Native	68 bytes
SHA-256: `438b38aa788c6891c72a606ed487db11b37af53a9bb1988ad0e94d871014d253`
`ole10native_02.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229319/Ole10Native	100 bytes
SHA-256: `1f1955a29480ecb3435097af8b24acb6b31afccbc077931f47de59d4a7237623`
`ole10native_03.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229320/Ole10Native	100 bytes
SHA-256: `5633e2d82d04da0b3e1f3fc6292971f0db86f91da41ad80779649b4e46a420da`
`ole10native_05.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229323/Ole10Native	68 bytes
SHA-256: `249047ec88c2a872bc97e9a6e4d820604bae9c43afd5cdda5530a12620d5f89a`
`ole10native_06.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229324/Ole10Native	132 bytes
SHA-256: `3f7fd6fec5b98057906dbfe34d6e6a6c576df184e7fc4258fe25f0042ed60047`
`ole10native_07.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229325/Ole10Native	100 bytes
SHA-256: `7b1ecd39feae6e7370b7ca3c6e6d35e86ca67f7572748f4dbe03c11f21dfe259`
`ole10native_08.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229327/Ole10Native	68 bytes
SHA-256: `baa393eb2198b421549b492f2f6a59c1d2647fd982b736f4a3273c0a33225c78`
`ole10native_09.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229328/Ole10Native	100 bytes
SHA-256: `ca21ec16d1c1149a8809e8f69b3e0f74e357bd66b2eedb6076ae794dc90106d3`
`ole10native_10.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229329/Ole10Native	68 bytes
SHA-256: `9bd5a57458a7edbd884293da92305b016f051b8de1c4f0ee21c52010cefb37cf`
`ole10native_12.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229332/Ole10Native	100 bytes
SHA-256: `8a1658661151c8672f79fd073c1492f23a8c91def1499d2839af28ce58f55673`
`ole10native_13.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229333/Ole10Native	68 bytes
SHA-256: `59322179b59208031cdf1a02bdf124073c03e835ecf43380364b2b7c5dfcd546`
`ole10native_14.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229334/Ole10Native	100 bytes
SHA-256: `50f6ec6ce1a3c91ca191afca5e6dc4d82e9ebb272365fd362b144f4f5273a01a`
`ole10native_15.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229340/Ole10Native	132 bytes
SHA-256: `76c647e9723659254b070620a73de9981f1ba5bd3b962878deda94b0ae9df181`
`ole10native_16.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229341/Ole10Native	100 bytes
SHA-256: `d40145f90bfd9d1035eb0561cfa16f7dd9cfd9886da5e3ce912c11574d3cdb98`
`ole10native_17.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229343/Ole10Native	100 bytes
SHA-256: `c4e677b07e3dc72f47404148b638d5054d457fa6796bd20d8567b7bd9f2403d4`
`ole10native_18.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229344/Ole10Native	100 bytes
SHA-256: `cf2a04bf0c0704389b6cef4c8dbfeafc3231dd1aeb96b8a41022b731ca0cf0e4`
`ole10native_19.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229345/Ole10Native	100 bytes
SHA-256: `14b274a9350391e260605295eeea425872f6b8ed48fd8f5393214cd72ced0522`
`ole10native_20.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229347/Ole10Native	100 bytes
SHA-256: `5941b7a5ac0f32bbf3b2ddb7c65168a2e0cd9f8f19eb5c1572d701a177c6c50f`
`ole10native_21.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229348/Ole10Native	68 bytes
SHA-256: `c02d5906acdbade7299714b161c452a698e90f212b4b2b990d9d577c41ae5c83`
`ole10native_22.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229349/Ole10Native	68 bytes
SHA-256: `98669bd6b59b12d2e57f83adf39b28c5f1c735bc4cbbf7580a84a6ef54bd5ef3`
`ole10native_23.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229350/Ole10Native	68 bytes
SHA-256: `40a70ffb910470eca9eb16b4a84f79be5dad66cf2a4eb9da3352a656f096df08`
`ole10native_24.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229352/Ole10Native	132 bytes
SHA-256: `6f1bec140570065de1ed9fccfa7152c269dff569404af96c7f7d92e0551725f6`
`ole10native_25.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229353/Ole10Native	132 bytes
SHA-256: `3422fac49a62347854441c5f249f4efff301a0311df7254dbba1071abd3395be`
`ole10native_26.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229354/Ole10Native	68 bytes
SHA-256: `68c65b004ac464285eac8db57084d94c5b5c1e71f21f8c6d64085e8a6fa8a549`
`ole10native_28.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229357/Ole10Native	260 bytes
SHA-256: `542db3e2e343ffde61903cb02eec374c589cbac7d7d68af9b03edbc35013d174`
`ole10native_29.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229358/Ole10Native	100 bytes
SHA-256: `635d332d4494b08cde8e92872f6f16eaf0da85747f589aba580acae8b194ea8b`
`ole10native_31.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229361/Ole10Native	68 bytes
SHA-256: `7f04209b10f9504f1f501e2fec525d6a83173c69a9be115f1126293bad3b3b7e`
`ole10native_33.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229363/Ole10Native	196 bytes
SHA-256: `316cdea1468f02370ac8b9f15d0e11da0259902fb81475c6910cd7ccbb0897e6`
`ole10native_35.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229369/Ole10Native	260 bytes
SHA-256: `4ab4732b3b802d5d11e19943bacff5df223106d502d494517223b8f932368fc9`
`ole10native_36.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229370/Ole10Native	100 bytes
SHA-256: `3ba5bf51f410aaaacb57dd3e9f1659f9dc99621e4dff2eb5712a922bfc6dbea2`
`ole10native_37.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1076229372/Ole10Native	100 bytes
SHA-256: `6fd522024517c743e36bdb61716487eee48d45ffc0c73b3124ffad0de32bdd7a`

Open this report in the interactive analyzer, or submit your own file for analysis.