MALICIOUS
660
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OLE document containing an embedded PE executable, identified by ClamAV as Win.Trojan.Delf-1526. Heuristics indicate the presence of Metasploit shellcode and APIs commonly used for process injection and execution, such as WinExec, CreateProcess, and WriteProcessMemory. The document body appears to be a list of student scores, likely serving as a lure to conceal the malicious payload.
Heuristics 14
-
ClamAV: Win.Trojan.Delf-1526 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Delf-1526
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
x86 disassembly · validity: code (0.969) — 16/16 branch targets land on an instruction boundary (100% coherence)00066638 fc cld 00066639 e882000000 call 0x666c0 0006663E 5f pop edi 0006663F 5e pop esi 00066640 5b pop ebx 00066641 8be5 mov esp, ebp 00066643 5d pop ebp 00066644 c3 ret 00066645 8d4000 lea eax, [eax] 00066648 53 push ebx 00066649 56 push esi 0006664A 8bd8 mov ebx, eax 0006664C 3b5324 cmp edx, dword ptr [ebx + 0x24] 0006664F 7436 je 0x66687 00066651 8bf2 mov esi, edx 00066653 85f6 test esi, esi 00066655 7518 jne 0x6666f 00066657 33c0 xor eax, eax 00066659 8a4318 mov al, byte ptr [ebx + 0x18] 0006665C 8b0485f03c4a00 mov eax, dword ptr [eax*4 + 0x4a3cf0] 00066663 50 push eax 00066664 a134574a00 mov eax, dword ptr [0x4a5734] 00066669 8b00 mov eax, dword ptr [eax] 0006666B ffd0 call eax 0006666D 8bd0 mov edx, eax 0006666F 895324 mov dword ptr [ebx + 0x24], edx 00066672 c6434401 mov byte ptr [ebx + 0x44], 1 00066676 8b4304 mov eax, dword ptr [ebx + 4] 00066679 e8ba060000 call 0x66d38 0006667E 85f6 test esi, esi 00066680 7505 jne 0x66687 00066682 33c0 xor eax, eax 00066684 894324 mov dword ptr [ebx + 0x24], eax 00066687 5e pop esi 00066688 5b pop ebx 00066689 c3 ret 0006668A 8bc0 mov eax, eax 0006668C 3b5028 cmp edx, dword ptr [eax + 0x28] 0006668F 7413 je 0x666a4 00066691 895028 mov dword ptr [eax + 0x28], edx 00066694 c6402c00 mov byte ptr [eax + 0x2c], 0
-
Metasploit bind_tcp shellcode critical SC_MSF_BINDMetasploit bind_tcp shellcode
Disassembly
x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)0008D2B1 fc cld 0008D2B2 e889000000 call 0x8d340 0008D2B7 c3 ret 0008D2B8 e96fe8f8ff jmp 0x1bb2c 0008D2BD ebf0 jmp 0x8d2af 0008D2BF 33c0 xor eax, eax 0008D2C1 8945f0 mov dword ptr [ebp - 0x10], eax 0008D2C4 8b45f0 mov eax, dword ptr [ebp - 0x10] 0008D2C7 8be5 mov esp, ebp 0008D2C9 5d pop ebp 0008D2CA c20400 ret 4 0008D2CD 8d4000 lea eax, [eax] 0008D2D0 55 push ebp 0008D2D1 8bec mov ebp, esp 0008D2D3 83c4f4 add esp, -0xc 0008D2D6 53 push ebx 0008D2D7 894df4 mov dword ptr [ebp - 0xc], ecx 0008D2DA 8955f8 mov dword ptr [ebp - 8], edx 0008D2DD 8945fc mov dword ptr [ebp - 4], eax 0008D2E0 83caff or edx, 0xffffffff 0008D2E3 8b45fc mov eax, dword ptr [ebp - 4] 0008D2E6 e825fcffff call 0x8cf10 0008D2EB 85c0 test eax, eax 0008D2ED 7448 je 0x8d337 0008D2EF 33c0 xor eax, eax 0008D2F1 55 push ebp 0008D2F2 68045b4700 push 0x475b04 0008D2F7 64ff30 push dword ptr fs:[eax] 0008D2FA 648920 mov dword ptr fs:[eax], esp 0008D2FD 8b4d08 mov ecx, dword ptr [ebp + 8] 0008D300 8b55f8 mov edx, dword ptr [ebp - 8] 0008D303 8b45fc mov eax, dword ptr [ebp - 4] 0008D306 8b18 mov ebx, dword ptr [eax] 0008D308 ff5304 call dword ptr [ebx + 4] 0008D30B 8b45fc mov eax, dword ptr [ebp - 4] 0008D30E 8b4034 mov eax, dword ptr [eax + 0x34]
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 886,272 bytes but its declared streams total only 96,991 bytes — 789,281 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0001842c.exe |
embedded-pe | Office MZ+PE at offset 0x1842C | 786900 bytes |
SHA-256: 1d65eeb4a161451b4c1425355d3de56c78310d3153401e1181f9b62efc894ac5 |
|||
|
Detection
ClamAV:
Win.Trojan.Delf-1526
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_MSF_BIND, SC_STR_VIRTUALALLOC Static shellcode analysis recovered API/import strings: VirtualAlloc, LoadLibraryExA, GetProcAddress, ExitProcess, kernel32.dll, KERNEL32.DLL
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.