MALICIOUS
820
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a malicious OLE file that exploits CVE-2006-6456 and CVE-2008-2244 to execute embedded shellcode. It contains an embedded PE executable and is detected as Win.Trojan.Bifrose-23302 by ClamAV. The presence of APIs like CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread, and GetProcAddress indicates process injection or manipulation, typical of trojan behavior.
Heuristics 17
-
CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Trojan.Bifrose-23302 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Bifrose-23302
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00000AD0 90 nop 00000AD1 90 nop 00000AD2 90 nop 00000AD3 90 nop 00000AD4 90 nop 00000AD5 90 nop 00000AD6 90 nop 00000AD7 90 nop 00000AD8 90 nop 00000AD9 90 nop 00000ADA 90 nop 00000ADB 90 nop 00000ADC 90 nop 00000ADD 90 nop 00000ADE 90 nop 00000ADF 90 nop 00000AE0 90 nop 00000AE1 90 nop 00000AE2 90 nop 00000AE3 90 nop 00000AE4 90 nop 00000AE5 90 nop 00000AE6 90 nop 00000AE7 90 nop 00000AE8 90 nop 00000AE9 90 nop 00000AEA 90 nop 00000AEB 90 nop 00000AEC 90 nop 00000AED 90 nop 00000AEE 90 nop 00000AEF 90 nop 00000AF0 90 nop 00000AF1 90 nop 00000AF2 90 nop 00000AF3 90 nop 00000AF4 90 nop 00000AF5 90 nop 00000AF6 90 nop 00000AF7 90 nop 00000AF8 90 nop 00000AF9 90 nop 00000AFA 90 nop 00000AFB 90 nop 00000AFC 90 nop 00000AFD 90 nop 00000AFE 90 nop 00000AFF 90 nop 00000B00 90 nop 00000B01 90 nop 00000B02 ebfe jmp 0xb02 00000B04 46 inc esi 00000B05 46 inc esi 00000B06 46 inc esi 00000B07 46 inc esi 00000B08 47 inc edi 00000B09 47 inc edi 00000B0A 47 inc edi 00000B0B 47 inc edi 00000B0C 48 dec eax 00000B0D 48 dec eax 00000B0E 48 dec eax 00000B0F 48 dec eax 00000B10 2000 and byte ptr [eax], al 00000B12 2000 and byte ptr [eax], al 00000B14 2000 and byte ptr [eax], al 00000B16 2000 and byte ptr [eax], al 00000B18 2000 and byte ptr [eax], al 00000B1A 2000 and byte ptr [eax], al 00000B1C 2000 and byte ptr [eax], al 00000B1E 2000 and byte ptr [eax], al 00000B20 2000 and byte ptr [eax], al 00000B22 2000 and byte ptr [eax], al 00000B24 2000 and byte ptr [eax], al 00000B26 2000 and byte ptr [eax], al 00000B28 2000 and byte ptr [eax], al 00000B2A 2000 and byte ptr [eax], al 00000B2C 2000 and byte ptr [eax], al 00000B2E 2000 and byte ptr [eax], al
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0001E66D e800000000 call 0x1e672 0001E672 58 pop eax 0001E673 83eb04 sub ebx, 4 0001E676 e800000000 call 0x1e67b 0001E67B 58 pop eax 0001E67C ebe1 jmp 0x1e65f 0001E67E 6803aae7fd push 0xfde7aa03 0001E683 5f pop edi 0001E684 81efe698a7fd sub edi, 0xfda798e6 0001E68A 57 push edi 0001E68B e82d000000 call 0x1e6bd 0001E690 9e sahf 0001E691 68c08895b1 push 0xb19588c0 0001E696 7cb2 jl 0x1e64a 0001E698 93 xchg ebx, eax 0001E699 6f outsd dx, dword ptr [esi] 0001E69A 90 nop 0001E69B 7921 jns 0x1e6be 0001E69D e0f8 loopne 0x1e697 0001E69F 6bad45f55f3ea0 imul ebp, dword ptr [ebp + 0x3e5ff545], -0x60 0001E6A6 ed in eax, dx 0001E6A7 f3a4 rep movsb byte ptr es:[edi], byte ptr [esi] 0001E6A9 44 inc esp 0001E6AA 7485 je 0x1e631 0001E6AC e243 loop 0x1e6f1 0001E6AE 97 xchg edi, eax 0001E6AF b29f mov dl, 0x9f 0001E6B1 0203 add al, byte ptr [ebx] 0001E6B3 fa cli 0001E6B4 b188 mov cl, 0x88 0001E6B6 aa stosb byte ptr es:[edi], al 0001E6B7 f9 stc 0001E6B8 354bfb56bd xor eax, 0xbd56fb4b 0001E6BD 58 pop eax 0001E6BE 5f pop edi 0001E6BF ffe7 jmp edi 0001E6C1 cf iretd 0001E6C2 7178 jno 0x1e73c 0001E6C4 6f outsd dx, dword ptr [esi] 0001E6C5 a04a6ad5af mov al, byte ptr [0xafd56a4a] 0001E6CA 51 push ecx 0001E6CB 1be2 sbb esp, edx
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0001675F 64a130000000 mov eax, dword ptr fs:[0x30] 00016765 8b400c mov eax, dword ptr [eax + 0xc] 00016768 8b701c mov esi, dword ptr [eax + 0x1c] 0001676B ad lodsd eax, dword ptr [esi] 0001676C 8b5808 mov ebx, dword ptr [eax + 8] 0001676F 8b433c mov eax, dword ptr [ebx + 0x3c] 00016772 8b440378 mov eax, dword ptr [ebx + eax + 0x78] 00016776 03c3 add eax, ebx 00016778 894520 mov dword ptr [ebp + 0x20], eax 0001677B 8b4818 mov ecx, dword ptr [eax + 0x18] 0001677E 8b4020 mov eax, dword ptr [eax + 0x20] 00016781 03c3 add eax, ebx 00016783 894528 mov dword ptr [ebp + 0x28], eax 00016786 c7452400000000 mov dword ptr [ebp + 0x24], 0 0001678D c7450047657450 mov dword ptr [ebp], 0x50746547 00016794 c74504726f6341 mov dword ptr [ebp + 4], 0x41636f72 0001679B c7450864647265 mov dword ptr [ebp + 8], 0x65726464 000167A2 c7450c73730000 mov dword ptr [ebp + 0xc], 0x7373 000167A9 8bf5 mov esi, ebp 000167AB 56 push esi 000167AC 51 push ecx 000167AD 8b00 mov eax, dword ptr [eax] 000167AF 03c3 add eax, ebx 000167B1 8bf8 mov edi, eax 000167B3 b90e000000 mov ecx, 0xe 000167B8 f3a6 repe cmpsb byte ptr [esi], byte ptr es:[edi] 000167BA 7528 jne 0x167e4 000167BC 83c404 add esp, 4
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 164,058 bytes but its declared streams total only 94,695 bytes — 69,363 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOADMalformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0001e400.exe |
embedded-pe | Office MZ+PE at offset 0x1E400 | 40154 bytes |
SHA-256: aafef969b1914da5a45a447967914e5ece9876c7b5d32a8e471075df14d935c8 |
|||
|
Detection
ClamAV:
Win.Trojan.Bifrose-23302
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: CreateProcessA, ReadProcessMemory, OpenProcess, VirtualProtect, VirtualProtectEx, ExitProcess Carved artifact entropy is 7.88, consistent with packed or encrypted content.
|
|||
embedded_office_off00018200.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x18200 | 65242 bytes |
SHA-256: 1d28cd4ce2c7bbb9cd6e888645f1e1b4e0efde99e33591ce596c51d302df7393 |
|||
|
Detection
ClamAV:
Win.Trojan.Bifrose-23302
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: CreateProcessA, ReadProcessMemory, OpenProcess, VirtualProtect, VirtualProtectEx, ExitProcess
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.