Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 01d9f57ee286c071…

MALICIOUS

Office (OLE)

146.9 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-09-17
MD5: 3e12b149baabdc2c8cb1a027c2b4c300 SHA-1: c39576a5a74791bad2346d2f43492545f88cb5dd SHA-256: 01d9f57ee286c071fae0f7c6bcbbf0da7c55d804f935ed547f32a3ef6a9a5334
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 and CVE-2012-1856. The heuristics indicate the use of CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of a secondary payload. The document body is heavily corrupted, preventing analysis of its specific lure, but the exploit chain is clear.

Heuristics 8

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 150,432 bytes but its declared streams total only 20,824 bytes — 129,608 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.