Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e374faef4ed6eb42…

MALICIOUS

Office (OLE) / .DOC

908.5 KB First seen: 2022-05-24
MD5: 7b7af58f77f4d773aa9b0f7418d6c37d SHA-1: ae4e2398be706f9fab2a7ba382a8baeeda0d7a94 SHA-256: e374faef4ed6eb422e98b5d462444cb74b5de064fcec70e7953ccba756fab940
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing an embedded Equation Editor object, a known vector for exploiting Equation Editor vulnerabilities. The presence of a GetPC stub further suggests code execution capabilities. While no specific script was extracted, the combination of these indicators points to an exploit attempting to achieve arbitrary code execution, likely leading to a secondary payload download.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
9187dc1f085e38cce23433dd68b585db9883def4d639750f040ac2be28b5d3a9		 ole-package OLE Ole10Native stream: oLE10NatIve 920256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.