Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0501a3d69abc7ada…

MALICIOUS

Office (OLE) / .DOC

99.0 KB Created: 1601-01-01 00:02:37 Authoring application: Microsoft Office Word
MD5: 9ad4bac1ea9d5cf43c68e701c754b26c SHA-1: 20ea5b9393fbc95792e82f195a52ecf0d67b47b2 SHA-256: 0501a3d69abc7adae1a188c98041058adfd946a7af8d1f4cebeaa0958b62f257
340 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document identified as malicious. It contains an embedded Portable Executable (PE) file, indicated by the OLE_EMBEDDED_EXE heuristic and the presence of an MZ header at offset 0xBC00. The CVE_2008_2244 heuristic further suggests exploitation of a known Microsoft Word vulnerability to achieve execution of this embedded payload. The document body indicates embedded objects, likely related to the executable payload.

Heuristics 8

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 101,376 bytes but its declared streams total only 34,365 bytes — 67,011 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000bc00.exe
eecf1d05e32a36c1a3751656607e2e24027c2739d240274bcbe68ee8efc84c00		 embedded-pe Office MZ+PE at offset 0xBC00 53248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.