MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is a malicious OOXML document containing an embedded OLE object, identified as an Equation Editor. This technique is commonly used to exploit vulnerabilities and execute arbitrary code. The presence of this object strongly suggests an attempt to deliver a secondary malicious payload.
Heuristics 3
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object word/embeddings/oleObject24.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject63.bin | 3584 bytes |
SHA-256: 120297cecf13b76bf4961d94058c916ad099d8adda6bb9502ccf994cc0aa9a11 |
|||
ooxml_oleobject_01.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject24.bin | 3584 bytes |
SHA-256: 6d49e39b431595d6ba52f3e00f4b07a9c72093ae1faacac543f43b2462eb80e8 |
|||
ooxml_oleobject_02.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject77.bin | 3072 bytes |
SHA-256: ad07dd4952b4c2de1b991a8e206dc7afee5314d0956801f6ed264c8d1248579c |
|||
ooxml_oleobject_03.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject72.bin | 3072 bytes |
SHA-256: 19ad2478f4d9caa9987f3bcf07c5c8deea51f74760454a0777a702b8a1669980 |
|||
ooxml_oleobject_04.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject30.bin | 3072 bytes |
SHA-256: bbef76d4baafffcaaa8146c445d5d61827b9ce795b331377ea8c65d6b5aed215 |
|||
ooxml_oleobject_05.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject41.bin | 3072 bytes |
SHA-256: b4b27d4ebc93190803290f618027ab5dc1c1d3cab99a486a7c655be2db86ef7a |
|||
ooxml_oleobject_06.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject12.bin | 3072 bytes |
SHA-256: ee4e6d05821e1d1e7101e0269a1f5f9e8b7d88d3685f961dfac16954f28f8973 |
|||
ooxml_oleobject_07.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject75.bin | 3072 bytes |
SHA-256: 7602209fa15dbc93642a6e73a84fde6091de83039c6b1caf7b46a88e3cef6ee9 |
|||
ooxml_oleobject_08.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject51.bin | 3584 bytes |
SHA-256: 964475c5390a25d4bbe69637167f7a451973780057ea9a2135bdddc4c3310251 |
|||
ooxml_oleobject_09.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject17.bin | 3072 bytes |
SHA-256: 27e841c4dc4a7f55468487f9c931dca294371c9008c93b0f094a28e5db0b1bc9 |
|||
ooxml_oleobject_10.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject64.bin | 3584 bytes |
SHA-256: 9f43284f1596557c6e3685add357b379d747024134a181701c6ca05c776b8695 |
|||
ooxml_oleobject_11.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject45.bin | 4096 bytes |
SHA-256: b653078e4b788fb9885ed2e7fad2b91051343fcc6ff364f4b11d57f7b2ba7143 |
|||
ooxml_oleobject_12.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject25.bin | 3072 bytes |
SHA-256: 665475bd865a675613e5c117fe3a011e8a7c7e10d3e7b199a683780d3ad40aa7 |
|||
ooxml_oleobject_13.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject67.bin | 3072 bytes |
SHA-256: e9aafa732fdf748e6c4c158dc3002bc5b7b77802c52abfa62987adb15892c692 |
|||
ooxml_oleobject_14.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 3072 bytes |
SHA-256: 0cf2a157f9cc259f5a4600986093b4b5766ade09e5955b5fcc6a11d9a80ea888 |
|||
ooxml_oleobject_15.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject5.bin | 3584 bytes |
SHA-256: 4ffc6b1c6a9ccdcff6f80fa7af12f4fe641531f3c8b346846f3a6e96f551be46 |
|||
ooxml_oleobject_16.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject81.bin | 3072 bytes |
SHA-256: 44471c5ce33003096758eaceb56f43d414cec75ceb29f3f4d0c3746e405b951d |
|||
ooxml_oleobject_17.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject40.bin | 3072 bytes |
SHA-256: 94fcf72c66eec0f6f0a5bfd3ac1c8b9477a618f3f17232fa2ea9cda0559f80e3 |
|||
ooxml_oleobject_18.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject52.bin | 3072 bytes |
SHA-256: 1a2819c79f7552904d88901c247ab0d0578285deb075888493fbc9f66395fbe1 |
|||
ooxml_oleobject_19.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject19.bin | 3072 bytes |
SHA-256: fab55b0742cd68c1b2b37b4d4dd8b35a93b06af0da84b58268a721c2007076c7 |
|||
ooxml_oleobject_20.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject7.bin | 3072 bytes |
SHA-256: b14b7a9558eab7867302f8696891da1ca94695de91ec6e1d97baba802bbc06f5 |
|||
ooxml_oleobject_21.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject3.bin | 3072 bytes |
SHA-256: a8bad6cdf2eebed2db2f49f9fb5e827de867dfc77caf0c1e145220ba0e3fc6b9 |
|||
ooxml_oleobject_22.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject58.bin | 3072 bytes |
SHA-256: f8547526c32f602dc3271910916d3217f3d67f4abd9ac119c6a9b90a8fde3712 |
|||
ooxml_oleobject_23.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject33.bin | 3072 bytes |
SHA-256: 6f30e945a4ba041a1f1bf6dc9773301f05e8d6eeaebc1a023e96b7b58c2fece1 |
|||
ooxml_oleobject_24.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject2.bin | 3584 bytes |
SHA-256: 1e283ea88d0f8c7d343662dad7f66153894f54f9f245ae24c1a7a3cacc7fcae3 |
|||
ooxml_oleobject_25.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject14.bin | 3584 bytes |
SHA-256: 13b0fff527ff57aa924af11e0370a32cc57a1ca0a7733c48430ce366a89675c5 |
|||
ooxml_oleobject_26.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject28.bin | 3072 bytes |
SHA-256: d2e2244f108baa808d07572c1aae6805c2a30f6cfebe7b5abd0da9fb606da983 |
|||
ooxml_oleobject_27.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject13.bin | 3584 bytes |
SHA-256: 584818663e36f926a9a4cf83b38bea711b80290b50e0420dfcb6b42c0ff2ba71 |
|||
ooxml_oleobject_28.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject29.bin | 3072 bytes |
SHA-256: 19a1a688845096cda619116d8c00ee04775dc1035bc6251e075fd2245e960771 |
|||
ooxml_oleobject_29.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject18.bin | 3072 bytes |
SHA-256: 16290664c27606f375240e44dfa9c5587475b855a2c89690a3026b3cfa14e229 |
|||
ooxml_oleobject_30.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject57.bin | 3072 bytes |
SHA-256: 0af2a562464f9a77f39661f813679b91fb3d202b01726864f96cb85b114c0c52 |
|||
ooxml_oleobject_31.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject47.bin | 3072 bytes |
SHA-256: ee17fc815d5e7c76a2864296e71e3d46d543add59c90821eff72fb7ad22f1c36 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.