Win.Malware.Razy-9886340-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 0d7df87df1ceb855…

MALICIOUS

Office (OLE)

625.0 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 717b5afdf9790db88c5b357c8123f13a SHA-1: 515853affaeebcfbe91f61460d9256df7c625220 SHA-256: 0d7df87df1ceb855c826b62485d883eae3ebcaad8a687ac831dce0a56abded35
662 Risk Score

Malware Insights

Win.Malware.Razy-9886340-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The sample is identified as malicious by ClamAV with the signature Win.Malware.Razy-9886340-0. Static analysis revealed critical findings for CVE-2007-3899 and CVE-2008-2244, indicating exploitation of memory corruption vulnerabilities in Microsoft Word. These exploits facilitate the embedding and execution of a PE executable. The document also contains a lure to execute commands via the clipboard, suggesting an attempt to trick the user into running malicious code.

Heuristics 15

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Razy-9886340-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
    Disassembly
    Attempted x86 opcode disassembly
    0002CC72  e800000000        call 0x2cc77
0002CC77  5a                pop edx
0002CC78  ffc2              inc edx
0002CC7A  0fc0c1            xadd cl, al
0002CC7D  e800000000        call 0x2cc82
0002CC82  5a                pop edx
0002CC83  f7d2              not edx
0002CC85  0fafd7            imul edx, edi
0002CC88  0fbeca            movsx ecx, dl
0002CC8B  d1f2              sal edx, 1
0002CC8D  0fafd1            imul edx, ecx
0002CC90  f6d8              neg al
0002CC92  bab983e049        mov edx, 0x49e083b9
0002CC97  69c88060c309      imul ecx, eax, 0x9c36080
0002CC9D  8d15d1abaefa      lea edx, [0xfaaeabd1]
0002CCA3  85ce              test esi, ecx
0002CCA5  eb07              jmp 0x2ccae
0002CCA7  21ca              and edx, ecx
0002CCA9  17                pop ss
0002CCAA  98                cwde
0002CCAB  1db6b3e800        sbb eax, 0xe8b3b6
0002CCB0  0000              add byte ptr [eax], al
0002CCB2  005a85            add byte ptr [edx - 0x7b], bl
0002CCB5  ce                into
0002CCB6  86c1              xchg cl, al
0002CCB8  0fc1d0            xadd eax, edx
0002CCBB  2cc3              sub al, 0xc3
0002CCBD  31fa              xor edx, edi
0002CCBF  8ac2              mov al, dl
0002CCC1  0fafd7            imul edx, edi
0002CCC4  f6c6b3            test dh, 0xb3
0002CCC7  e800000000        call 0x2cccc
0002CCCC  5a                pop edx
0002CCCD  c3                ret
0002CCCE  0000              add byte ptr [eax], al
0002CCD0  0000              add byte ptr [eax], al
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 640,036 bytes but its declared streams total only 18,208 bytes — 621,828 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://microsoft.com0 In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 461493 bytes
SHA-256: bba48497155d8c9139462afe4499ae8201814d8684bc50a6adc7807a2aae203e
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, VirtualProtect, kernel32.dll, KERNEL32.DLL, VirtualAlloc
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 618007 bytes
SHA-256: df7e25dfd0c176fcb3d02461a219a13db4ecb478c7c48580900e763400c13b22
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, VirtualProtect, kernel32.dll, KERNEL32.DLL, VirtualAlloc

Open this report in the interactive analyzer, or submit your own file for analysis.