MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1559.001 Component Object Model Hijacking
The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristic firings indicate the exploitation of CVE-2017-11882 through a font record overflow within this object. This exploit is known to be used for arbitrary code execution, suggesting the document's purpose is to leverage this vulnerability to download and execute a secondary payload. The document body contains what appears to be inventory or product data, likely a lure to entice the user to open the document.
Heuristics 3
-
CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/VrgxbEryJ.ZGJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.binfc41c8ad34d8ba60df6712b9f20ca3731b4d410edb3c560acffdc31339a9efe2 |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/VrgxbEryJ.ZGJ | 2779136 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.