Win.Malware.Razy-9886340-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 0087e95da98cbd65…

MALICIOUS

Office (OLE)

788.5 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: e7d51cde3ec408d73720a5be54539f57 SHA-1: e57c7b8cc314a52fd4a30bed9a8ef84b097109fc SHA-256: 0087e95da98cbd65400f67b21ade12d036884c7c9e3c4aa0195a836b2e139300
702 Risk Score

Malware Insights

Win.Malware.Razy-9886340-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is a malicious OLE document exploiting CVE-2007-3899 and CVE-2008-2244, which are known vulnerabilities for memory corruption and record parsing in Microsoft Word. It contains an embedded PE executable and references to APIs like VirtualProtect, WriteProcessMemory, LoadLibrary, and GetProcAddress, indicating it's designed to load and execute shellcode or a secondary payload. The ClamAV detection of Win.Malware.Razy-9886340-0 further confirms its malicious nature.

Heuristics 15

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Razy-9886340-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00073294  90                nop
    00073295  90                nop
    00073296  90                nop
    00073297  90                nop
    00073298  90                nop
    00073299  90                nop
    0007329A  90                nop
    0007329B  90                nop
    0007329C  90                nop
    0007329D  90                nop
    0007329E  90                nop
    0007329F  90                nop
    000732A0  90                nop
    000732A1  90                nop
    000732A2  90                nop
    000732A3  90                nop
    000732A4  90                nop
    000732A5  90                nop
    000732A6  90                nop
    000732A7  90                nop
    000732A8  90                nop
    000732A9  90                nop
    000732AA  90                nop
    000732AB  90                nop
    000732AC  90                nop
    000732AD  90                nop
    000732AE  90                nop
    000732AF  90                nop
    000732B0  90                nop
    000732B1  90                nop
    000732B2  90                nop
    000732B3  90                nop
    000732B4  90                nop
    000732B5  90                nop
    000732B6  90                nop
    000732B7  90                nop
    000732B8  90                nop
    000732B9  90                nop
    000732BA  90                nop
    000732BB  90                nop
    000732BC  90                nop
    000732BD  90                nop
    000732BE  90                nop
    000732BF  90                nop
    000732C0  90                nop
    000732C1  90                nop
    000732C2  90                nop
    000732C3  90                nop
    000732C4  90                nop
    000732C5  90                nop
    000732C6  90                nop
    000732C7  90                nop
    000732C8  90                nop
    000732C9  90                nop
    000732CA  90                nop
    000732CB  90                nop
    000732CC  90                nop
    000732CD  90                nop
    000732CE  90                nop
    000732CF  90                nop
    000732D0  90                nop
    000732D1  90                nop
    000732D2  90                nop
    000732D3  90                nop
    000732D4  90                nop
    000732D5  90                nop
    000732D6  90                nop
    000732D7  90                nop
    000732D8  90                nop
    000732D9  90                nop
    000732DA  90                nop
    000732DB  90                nop
    000732DC  90                nop
    000732DD  90                nop
    000732DE  90                nop
    000732DF  90                nop
    000732E0  90                nop
    000732E1  90                nop
    000732E2  90                nop
    000732E3  90                nop
    000732E4  90                nop
    000732E5  90                nop
    000732E6  90                nop
    000732E7  90                nop
    000732E8  90                nop
    000732E9  90                nop
    000732EA  90                nop
    000732EB  90                nop
    000732EC  90                nop
    000732ED  90                nop
    000732EE  90                nop
    000732EF  90                nop
    000732F0  90                nop
    000732F1  90                nop
    000732F2  90                nop
    000732F3  90                nop
  • x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ECX)
    Disassembly
    Attempted x86 opcode disassembly
    000731CC  e800000000        call 0x731d1
    000731D1  59                pop ecx
    000731D2  eb01              jmp 0x731d5
    000731D4  90                nop
    000731D5  87c1              xchg ecx, eax
    000731D7  ffc0              inc eax
    000731D9  01c8              add eax, ecx
    000731DB  b88bd65302        mov eax, 0x253d68b
    000731E0  f7c37b7d83e7      test ebx, 0xe7837d7b
    000731E6  f7d9              neg ecx
    000731E8  69d3ec635d7e      imul edx, ebx, 0x7e5d63ec
    000731EE  eb01              jmp 0x731f1
    000731F0  90                nop
    000731F1  e802000000        call 0x731f8
    000731F6  90                nop
    000731F7  90                nop
    000731F8  58                pop eax
    000731F9  f7c4c8f42171      test esp, 0x7121f4c8
    000731FF  8bd0              mov edx, eax
    00073201  c7c028188f1d      mov eax, 0x1d8f1828
    00073207  87d0              xchg eax, edx
    00073209  bae33e9d55        mov edx, 0x559d3ee3
    0007320E  ba79eaa842        mov edx, 0x42a8ea79
    00073213  f7c1e935fd18      test ecx, 0x18fd35e9
    00073219  2de2a1bcd0        sub eax, 0xd0bca1e2
    0007321E  c7c2a08375e9      mov edx, 0xe97583a0
    00073224  0fafd4            imul edx, esp
    00073227  01ca              add edx, ecx
    00073229  87d0              xchg eax, edx
    0007322B  0f                .byte 0x0f
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 807,461 bytes but its declared streams total only 18,208 bytes — 789,253 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://upx.tsx.org In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 628918 bytes
SHA-256: b21f663834cce4a53d4b323a03979082fbaf627c4cf71c966e20cdc2cadd7d99
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, ReadProcessMemory, VirtualProtect, WriteProcessMemory
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 785432 bytes
SHA-256: 4e51cf01eff634c1c4765be0f6fb4af420ffa836cf564bae6f0900bdff562806
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, ReadProcessMemory, VirtualProtect, WriteProcessMemory