MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The critical heuristic firing indicates the file exploits CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. The exploit uses a nibble-shifted technique and a stager that executes 'rundll32'. The OLE parsing heuristic suggests the file may be truncated or deliberately malformed to evade detection. No document body or scripts were extracted, but the exploit itself is sufficient to classify the attack pattern.
Heuristics 2
-
Nibble-shifted Equation Editor exploit — CVE-2017-11882 critical CVE likely CVE_2017_11882The file has a CFB (OLE2) header but no readable streams, and dropping one leading 4-bit nibble re-aligns the content to expose the Microsoft Equation 3.0 CLSID together with an execution stager / the EQNEDT32.EXE return gadget. Whole-file nibble shifting is a deliberate evasion that defeats olefile parsing and every byte-aligned signature while Office still loads the object — an unambiguous CVE-2017-11882/0802 dropper.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Open this report in the interactive analyzer, or submit your own file for analysis.