Malicious Office (OLE) / .RTF — malware analysis report

Static analysis result for SHA-256 1168b901455ca8a1…

MALICIOUS

Office (OLE) / .RTF

92.5 KB Created: 2009-02-19 11:29:45 Authoring application: Microsoft Office Word
MD5: decc1ccfc3fbcde9c5490b1e43121d52 SHA-1: f9bb9b129ab397a890a803ac794fad56604013f2 SHA-256: 1168b901455ca8a1bb3b9d1322b37b35f4f6cabe2ac363fc70ab1bd640506102
460 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains an embedded executable file. Heuristics indicate exploitation of CVE-2008-2244, a known vulnerability in Microsoft Word, which is likely used to drop and execute the embedded PE file. The embedded executable was detected by ClamAV as Win.Trojan.Agent-373960.

Heuristics 10

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-373960 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-373960
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 94,720 bytes but its declared streams total only 34,365 bytes — 60,355 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000bc00.exe
a1e06992c057a6269dd34173891e74191adc15bc4eab181a515b273a69fbbf62		 embedded-pe Office MZ+PE at offset 0xBC00 46592 bytes
Detection
ClamAV: Win.Trojan.Agent-373960
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.