Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 028ef7d70b4e8604…

MALICIOUS

Office (OLE) / .DOC

145.8 KB
MD5: 156978923b358a8d5e93dd7bad4121c8 SHA-1: 88fb87545c1acddf6b8656cfe25baf08f259c3cd SHA-256: 028ef7d70b4e86047f0c55db8f8ec6148a48b680cdd906d5576ee8fd3dfd42ae
300 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document that leverages CVE-2008-2244 to execute an embedded PE file. The document contains embedded OLE objects and exhibits OLE slack anomalies, indicating potential obfuscation or malicious content. The embedded PE executable is directly executed by the exploit, leading to a high confidence assessment of its malicious intent.

Heuristics 7

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 149,252 bytes but its declared streams total only 31,351 bytes — 117,901 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015a00.exe
3790d97f8b900213a8a7dd58fb7ead8d2d8b190d051c84f70876dc7df62ee0ae		 embedded-pe Office MZ+PE at offset 0x15A00 60676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.