MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristic firings indicate the presence of the CVE-2017-11882 vulnerability, which is commonly exploited by attackers to execute arbitrary code. The document also contains a lure to enable macros, a typical method for bypassing security measures. The embedded OLE object is the primary indicator of compromise, likely serving as the initial vector for exploitation.
Heuristics 4
-
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/fQVvb1n6.ukazC contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin279ec41cf90dd069260281086dd4c535620572bb11557df8ee3a90e858f39a04 |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/fQVvb1n6.ukazC | 3049984 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.