Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0bc74fa78bf80f53…

MALICIOUS

Office (OLE) / .DOC

60.3 KB Created: 2005-05-27 09:07:00 Authoring application: Microsoft Word 10.0
MD5: af6f16e500ee8bfccf8992ed0778645c SHA-1: 503f83c55d9bfbc39f5954d4663f90f7e8ed8d5c SHA-256: 0bc74fa78bf80f53b73dca0c29d240c7d446259583beb9845daa9e9b4109a47d
440 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Word document exploiting CVE-2008-2244, a known vulnerability for client execution. It contains VBA macros and an embedded PE executable, indicating it's designed to download and run a secondary payload. The VBA macro '模块1' contains a MsgBox call, but the primary malicious activity is likely within the embedded executable, which is detected by ClamAV as Win.Trojan.Agent-228397.

Heuristics 10

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-228397 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-228397
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 61,767 bytes but its declared streams total only 21,704 bytes — 40,063 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b561f6842168b0dbd5b95cccbec82c422a6330174acca9c971b70fc752d8f934		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 567 bytes
embedded_office_00006c00.exe
561343f26f0e41f9af81b5bf2c622670d0b1c8362c9d6af75ae08f927bf8eed8		 embedded-pe Office MZ+PE at offset 0x6C00 34119 bytes
Detection
ClamAV: Win.Trojan.Agent-228397
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.