MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1559.001 Component Object Model Hijacking
T1204.002 Malicious File
The file is an Excel spreadsheet containing an embedded Equation Editor OLE object, which is a known vector for exploiting vulnerabilities. Although the VBA project contains no executable statements, the presence of the Equation Editor object strongly suggests an attempt to leverage a known exploit. The embedded PDF content and metadata do not provide further clues to the specific payload or family.
Heuristics 5
-
Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVEAn embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URLThe shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.
-
VBA project contains no executable statements info OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://107.175.88.100/ttpswww.adobe.comincreativecloud.htmlsdid=PTYTPT9K&mv=search&mv2=paidsearch&ef_id=f00cfa57c6d61803461.php In document text (OLE body)
- http://000015353654144/ttpswww.adobe.comincreativecloud.htmlsdid=PTYTPT9K&mv=search&mv2=paidsearch&ef_id=f00cfa57c6d61803461.phpIn document text (OLE body)
- http://000030000706151In document text (OLE body)
- http://192.3.140.105Decoded from obfuscated IP host (000030000706151)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1206 bytes |
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD025B577D/OLE10native | 1897 bytes |
SHA-256: 59a46bd284c431defaa0ce09b6f2c80c946cb68c0b08754399b17db0a6db878a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.