Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 eeb0d8bfbfb834e0…

MALICIOUS

Office (OLE) / .DOC

986.0 KB First seen: 2022-05-11
MD5: 77e7dcd7efc56817ddb630e05c35ff4a SHA-1: 55d29f259f67396601d93aa5e0516e16e3918223 SHA-256: eeb0d8bfbfb834e02f8c232513a097de1f40574190716345e7f9cf8c452b073e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a Microsoft Word document containing an embedded Equation Editor OLE object, which is a known vector for exploiting the Equation Editor vulnerability (CVE-2017-11882). This exploit allows for arbitrary code execution upon opening the document. No document body text or scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: oLe10Native 999183 bytes
SHA-256: 220e60603a7bb7c53323b2a9baef11c4cde96389f9d987b779dae9d55bc88610

Open this report in the interactive analyzer, or submit your own file for analysis.