Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c466ef67caed4f27…

MALICIOUS

Office (OLE) / .DOC

1003.0 KB First seen: 2023-08-28
MD5: b866925120b57edaa0cf54e8d58b82f9 SHA-1: b903a95aaad655df5758bcbdc091530b978e285b SHA-256: c466ef67caed4f27d0ca8fd6ed5320775eb4c34ba9d73c5740b32889c756a7c7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017-11882 indicates that the embedded Equation Editor object contains a payload designed to exploit this vulnerability. This technique is commonly used to achieve arbitrary code execution on the victim's machine. The SHA256 hash is included as a primary identifier for this malicious document.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
0de8432e435f14381831d321a5c2ddef6d1e7f3e8aa1ff299902e3d247cb574b		 ole-package OLE Ole10Native stream: oLe10natIve 1016752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.