Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 e14ee4bd595766d5…

MALICIOUS

Office (OLE) / .XLSX

167.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-12-01
MD5: 8f456ea40f0922ff8f238dabb621d845 SHA-1: fa4791d06577cf6589429c165ad11f5c31b474c5 SHA-256: e14ee4bd595766d55549ed82affb9415509090152c5f76f8034cbdb46a7e823b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing for CVE-2017-11882 indicates the sample contains a malicious Equation Editor OLE object. This vulnerability is known to be exploited for arbitrary code execution. No document body or scripts were extracted, but the exploit itself is sufficient evidence of malicious intent.

Heuristics 2

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
45f657068376f276b7dda01e02d866e7cf3fdc7005aa897a5d8825fe12165aac		 ole-package OLE Ole10Native stream: MBD022C984B/Ole10Native 9818 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.