Office (OLE) / .DOC malware analysis — malicious · b69e8565b8575bdb

MALICIOUS

Office (OLE) / .DOC

843.5 KB First seen: 2022-08-02

MD5: 558bc88e05664ab20e45118cdfc435fa SHA-1: 39b8535d54b7b720a51ca7f054cf33fe95019d8b SHA-256: b69e8565b8575bdbbf1300e169cca058b5a1f5a521f78aa01f419987d5dd211f

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017-11882 indicates the file is designed to exploit a known vulnerability in the Equation Editor component of Microsoft Office. This vulnerability allows for arbitrary code execution, likely to download and run a secondary payload. The document body is heavily obfuscated and does not provide clear user-facing content, further suggesting a malicious intent behind the exploit.

Heuristics 2

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Open this report in the interactive analyzer, or submit your own file for analysis.