MALICIOUS
702
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is a malicious OLE document exploiting CVE-2007-3899 and CVE-2008-2244, which are known vulnerabilities for memory corruption and record parsing in Microsoft Word. It contains an embedded PE executable and references to APIs like VirtualProtect, WriteProcessMemory, LoadLibrary, and GetProcAddress, indicating it's designed to load and execute shellcode or a secondary payload. The ClamAV detection of Win.Malware.Razy-9886340-0 further confirms its malicious nature.
Heuristics 15
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Razy-9886340-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00073294 90 nop 00073295 90 nop 00073296 90 nop 00073297 90 nop 00073298 90 nop 00073299 90 nop 0007329A 90 nop 0007329B 90 nop 0007329C 90 nop 0007329D 90 nop 0007329E 90 nop 0007329F 90 nop 000732A0 90 nop 000732A1 90 nop 000732A2 90 nop 000732A3 90 nop 000732A4 90 nop 000732A5 90 nop 000732A6 90 nop 000732A7 90 nop 000732A8 90 nop 000732A9 90 nop 000732AA 90 nop 000732AB 90 nop 000732AC 90 nop 000732AD 90 nop 000732AE 90 nop 000732AF 90 nop 000732B0 90 nop 000732B1 90 nop 000732B2 90 nop 000732B3 90 nop 000732B4 90 nop 000732B5 90 nop 000732B6 90 nop 000732B7 90 nop 000732B8 90 nop 000732B9 90 nop 000732BA 90 nop 000732BB 90 nop 000732BC 90 nop 000732BD 90 nop 000732BE 90 nop 000732BF 90 nop 000732C0 90 nop 000732C1 90 nop 000732C2 90 nop 000732C3 90 nop 000732C4 90 nop 000732C5 90 nop 000732C6 90 nop 000732C7 90 nop 000732C8 90 nop 000732C9 90 nop 000732CA 90 nop 000732CB 90 nop 000732CC 90 nop 000732CD 90 nop 000732CE 90 nop 000732CF 90 nop 000732D0 90 nop 000732D1 90 nop 000732D2 90 nop 000732D3 90 nop 000732D4 90 nop 000732D5 90 nop 000732D6 90 nop 000732D7 90 nop 000732D8 90 nop 000732D9 90 nop 000732DA 90 nop 000732DB 90 nop 000732DC 90 nop 000732DD 90 nop 000732DE 90 nop 000732DF 90 nop 000732E0 90 nop 000732E1 90 nop 000732E2 90 nop 000732E3 90 nop 000732E4 90 nop 000732E5 90 nop 000732E6 90 nop 000732E7 90 nop 000732E8 90 nop 000732E9 90 nop 000732EA 90 nop 000732EB 90 nop 000732EC 90 nop 000732ED 90 nop 000732EE 90 nop 000732EF 90 nop 000732F0 90 nop 000732F1 90 nop 000732F2 90 nop 000732F3 90 nop
-
x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP ECX)
Disassembly
Attempted x86 opcode disassembly000731CC e800000000 call 0x731d1 000731D1 59 pop ecx 000731D2 eb01 jmp 0x731d5 000731D4 90 nop 000731D5 87c1 xchg ecx, eax 000731D7 ffc0 inc eax 000731D9 01c8 add eax, ecx 000731DB b88bd65302 mov eax, 0x253d68b 000731E0 f7c37b7d83e7 test ebx, 0xe7837d7b 000731E6 f7d9 neg ecx 000731E8 69d3ec635d7e imul edx, ebx, 0x7e5d63ec 000731EE eb01 jmp 0x731f1 000731F0 90 nop 000731F1 e802000000 call 0x731f8 000731F6 90 nop 000731F7 90 nop 000731F8 58 pop eax 000731F9 f7c4c8f42171 test esp, 0x7121f4c8 000731FF 8bd0 mov edx, eax 00073201 c7c028188f1d mov eax, 0x1d8f1828 00073207 87d0 xchg eax, edx 00073209 bae33e9d55 mov edx, 0x559d3ee3 0007320E ba79eaa842 mov edx, 0x42a8ea79 00073213 f7c1e935fd18 test ecx, 0x18fd35e9 00073219 2de2a1bcd0 sub eax, 0xd0bca1e2 0007321E c7c2a08375e9 mov edx, 0xe97583a0 00073224 0fafd4 imul edx, esp 00073227 01ca add edx, ecx 00073229 87d0 xchg eax, edx 0007322B 0f .byte 0x0f
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 807,461 bytes but its declared streams total only 18,208 bytes — 789,253 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upx.tsx.org In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 628918 bytes |
SHA-256: b21f663834cce4a53d4b323a03979082fbaf627c4cf71c966e20cdc2cadd7d99 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, ReadProcessMemory, VirtualProtect, WriteProcessMemory
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 785432 bytes |
SHA-256: 4e51cf01eff634c1c4765be0f6fb4af420ffa836cf564bae6f0900bdff562806 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, ReadProcessMemory, VirtualProtect, WriteProcessMemory
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.