Win.Downloader.24465-1 — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 185fee11bd431d2c…

MALICIOUS

Office (OLE) / .DOC

32.0 KB Created: 2010-05-05 20:10:00 Authoring application: Microsoft Office Word
MD5: 2884d50919154f0ff72e0f3c9088a619 SHA-1: fc6ff291136d8db2770104b831ffbadccafbe4d6 SHA-256: 185fee11bd431d2cda1aaba415516672c6cdd16352cbca915fa3a235ba0807d6
402 Risk Score

Malware Insights

Win.Downloader.24465-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document exploiting CVE-2007-3899 to execute shellcode. It contains an embedded executable file and presents a lure in Italian, 'CLICCA PER LEGGERE EMBED Package', prompting the user to interact with the malicious content. The embedded executable and the ClamAV detection strongly indicate a downloader family.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.24465-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.24465-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002e79.exe
d056f52096795dec486e98be941c5ccefd3e1c8d7c31a3b53b09e39bad8431fe		 embedded-pe Office MZ+PE at offset 0x2E79 20871 bytes
Detection
ClamAV: Win.Downloader.25476-1
Obfuscation or payload: unlikely
ole10native_00.bin
ab71eef51c6adf8532fc9c5497488a961b1a91a6f1965c65b824e7d0b248fe49		 ole-package OLE Ole10Native stream: ObjectPool/_1334602803/Ole10Native 12411 bytes
Detection
ClamAV: Win.Downloader.24465-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.