Office (OLE) / .DOC malware analysis — malicious · a35245a5b77388e5

MALICIOUS

Office (OLE) / .DOC

923.0 KB First seen: 2022-07-18

MD5: 0452ed44d96ffe9557214ecbdbffcc08 SHA-1: 81bd06e408cd064f852eeb94dcc7fe20a78f4c10 SHA-256: a35245a5b77388e59b5ab0f5c99c0b04edf4f9f31a131cb3683e7c4595bc4801

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: Malicious File T1559.001 Component Object Model Hijacking: Component Object Model

The critical heuristic firing for CVE-2017_11882_EQUATION_OLE10NATIVE indicates the exploitation of a known vulnerability in Microsoft Equation Editor. This technique is commonly used to execute arbitrary code, likely leading to the download and execution of a secondary payload. The presence of an OLE object containing this exploit payload strongly suggests a malicious intent.

Heuristics 2

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `da075130e0113d8d6f2e6b1b3faf9433ea5d1122a868b6799e81d05c1fc683a3`	ole-package	OLE Ole10Native stream: OLe10naTive	935195 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.