MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious due to the presence of an embedded Equation Editor OLE object, which is a known exploit for CVE-2017-11882. The document body contains a lure instructing the user to 'CLICK ENABLE EDITING UP TO TRANSLATE LANGUAGE', indicating an attempt to bypass macro security and execute the exploit. The ClamAV detection further confirms the malicious nature, specifically flagging it as Doc.Exploit.CVE_2017_11882-6934206-0.
Heuristics 4
-
Equation Editor OLE object high OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject1.bin | 4096 bytes |
SHA-256: ee159ed35d3d77bf233b6c38fe5e1775848bc83eaefb5b20b7f44d2f5eff8145 |
|||
|
Detection
ClamAV:
Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.