Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8caeea896c66fc09…

MALICIOUS

Office (OLE)

539.5 KB Created: 2005-09-21 07:44:45 Authoring application: Microsoft Excel
MD5: 086b4d94bb89ff7c80df309a456ab40f SHA-1: c2fd60a4dff89c50d062bb43eac5696c022c2da7 SHA-256: 8caeea896c66fc097a0da93315ce583959fe16e0b46c0912e3359573ab80358e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1559.001 Component Object Model Hijacking

The file is an Excel document containing VBA macros and an embedded Equation Editor OLE object, both of which are common vectors for exploitation. The document body contains instructions that appear to guide the user through a printing process, which is likely a pretext to trigger the Equation Editor exploit. The presence of the Equation Editor OLE object strongly suggests exploitation of CVE-2017-11882 or a similar vulnerability. The VBA macros were not analyzed in detail but their presence alongside the exploit object indicates a multi-stage attack.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b7f194c31bef8f5ef8bc7a4e3ef5f79aa303e7abe09ed93b281bf271c07b8bf4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.