Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b4c1dacc30acdd89…

MALICIOUS

Office (OOXML)

14.1 KB Created: 2018-12-19 09:43:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-11-20
MD5: ce7c8ea0fd2861ffb886e05d8c066062 SHA-1: 27c1d934d046ae1fff05d4ff4808c1ed3f47b2ae SHA-256: b4c1dacc30acdd89beeb0f3107a314479e79167653437b4ccba19faa3fed25c3
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample contains an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object is anomalous and vulnerable to CVE-2018-0798, suggesting it's designed to exploit this vulnerability for client-side code execution. No document body text or scripts were extracted, limiting further analysis of the payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4096 bytes
SHA-256: 21a835ba6565a19df3b8297125f2b1ccd23c8b3ebb3d35b47000fdad19661540
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: OlE10natIVe 1578 bytes
SHA-256: 120a75bd940039c197f9a8e1d3865e8cc7c59f4fa43cb4e27cb8a3983f880d6b

Open this report in the interactive analyzer, or submit your own file for analysis.