MALICIOUS
226
Risk Score
Heuristics 7
-
Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVEAn embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URLThe shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
VBA project contains no executable statements info OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://172.245.95.30/httpswww.opswat.comservicesprofessional-servicescybersecurity-assessments.php In document text (OLE body)
- http://00025475257436/httpswww.opswat.comservicesprofessional-servicescybersecurity-assessments.phpIn document text (OLE body)
- http://000030000706151In document text (OLE body)
- http://192.3.140.105Decoded from obfuscated IP host (000030000706151)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- https://learn.microsoft.com/en-us/typography/font-list/calibrihttp://lucasfonts.comMicrosoftIn document text (OLE body)
- http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1206 bytes |
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD00450C7B/OLE10nATiVe | 1738 bytes |
SHA-256: 60b00f905f10ee7e13a4dea9cf02964e5e3fa8863b2774ee57978393342e6f73 |
|||
stream_008_off00023809.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x23809 | 352784 bytes |
SHA-256: f3175a5c6c9d0f8a85c5a6f93d1f56198dfd0a62dcf8fbe9f723870754d9d5a4 |
|||
polyglot_child_pdf_off00001000.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x1000 | 943616 bytes |
SHA-256: 907b028ae4b83cd173111157f0890ecd87e1bd0fb179f6abf8617162291d8e85 |
|||
polyglot_child_pdf_off00018a00.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x18A00 | 846848 bytes |
SHA-256: d000ef77753089c0fcdeeb9b41c3b29f917eefe54e8889a34ba41d33334c3a2a |
|||
polyglot_child_pdf_off00061a00.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x61A00 | 547840 bytes |
SHA-256: 11692b0e3c10250149788b6388d3001e369ac6b7c49a6e04a2b60cf2581ad71a |
|||
polyglot_child_pdf_off00079200.pdf |
polyglot-child-pdf | Secondary PDF body inside ole container at offset 0x79200 | 451584 bytes |
SHA-256: a43f2933569f82cca9cd6f52ba1d9f292c917f315b591dc1c30dea7c2fc03b3e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.