Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 bfa284e5481bcdbe…

MALICIOUS

Office (OLE) / .DOC

814.0 KB First seen: 2022-09-15
MD5: 2952b51a35701f514ed70b7760bb7c25 SHA-1: b7721ffbda33b99d6234571fcb6bd555cffa438d SHA-256: bfa284e5481bcdbe60f24a4433518fba4b1f81f24f4a712d6e4043abdf2572e7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017_11882 indicates the file contains a malicious Equation Editor OLE object. This vulnerability is commonly exploited to achieve arbitrary code execution. The embedded OLE object likely contains a secondary payload, though no scripts were extracted to detail its specific actions.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
de82e19141501ec15c70a9c6ede74f784a59d7d6acc787e88e6a2fd75478b5c8		 ole-package OLE Ole10Native stream: oLe10naTIVE 824448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.