Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 efacbebf6377aa42…

MALICIOUS

Office (OLE)

2.45 MB Created: 2013-09-04 00:04:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 0fa479b7db4932b63c57a62f4afb17be SHA-1: 4fee3a9c43527092b6514d742393c969b285343d SHA-256: efacbebf6377aa42b94930ee2b5e460ed90d78328ba14fd24a7f049a22c557de
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file contains an embedded Equation Editor OLE object and an EPRINT EMF object, both of which are known to be exploited to achieve arbitrary code execution. The document body discusses Monte Carlo option pricing, which is likely a lure. The embedded objects suggest the file is designed to exploit a vulnerability, likely to download and execute a secondary payload.

Heuristics 3

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://citeseer.ist.psu.edu/264429.html In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.