Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 22d24e4023b83712…

MALICIOUS

Office (OLE)

835.5 KB Created: 2019-05-14 19:54:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 7a312a390dbfa174a858b7373f24578a SHA-1: 99db51899d4f07011ef01b434bfb666111f5d29d SHA-256: 22d24e4023b837127292566d1d793c738ed8971d2cbfc49b8bd8c61ec3a8acd6
602 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute arbitrary code. It contains an embedded OLE package that drops a PE executable. The embedded script within the OLE package is designed to download and execute a second-stage payload, indicated by the presence of CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress API calls. The document also attempts to lure the user into executing commands via the clipboard and requests sensitive recovery information.

Heuristics 14

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
    Disassembly
    Attempted x86 opcode disassembly
    00082026  65488b042560000000  mov rax, qword ptr gs:[0x60]
    0008202F  8b90bc000000      mov edx, dword ptr [rax + 0xbc]
    00082035  c1ea08            shr edx, 8
    00082038  f6c201            test dl, 1
    0008203B  7511              jne 0x8204e
    0008203D  ff15ae1d0100      call qword ptr [rip + 0x11dae]
    00082043  488bc8            mov rcx, rax
    00082046  8bd3              mov edx, ebx
    00082048  ff157b1c0100      call qword ptr [rip + 0x11c7b]
    0008204E  8bcb              mov ecx, ebx
    00082050  e80c000000        call 0x82061
    00082055  8bcb              mov ecx, ebx
    00082057  ff15ac1b0100      call qword ptr [rip + 0x11bac]
    0008205D  cc                int3
    0008205E  cc                int3
    0008205F  cc                int3
    00082060  cc                int3
    00082061  48895c2408        mov qword ptr [rsp + 8], rbx
    00082066  57                push rdi
    00082067  4883ec20          sub rsp, 0x20
    0008206B  488364243800      and qword ptr [rsp + 0x38], 0
    00082071  4c8d442438        lea r8, [rsp + 0x38]
    00082076  8bf9              mov edi, ecx
    00082078  488d155a380300    lea rdx, [rip + 0x3385a]
    0008207F  33c9              xor ecx, ecx
    00082081  ff                .byte 0xff
    00082082  15                .byte 0x15
    00082083  92                xchg edx, eax
    00082084  1b01              sbb eax, dword ptr [rcx]
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.usertrust.com0 Embedded OLE package script
    • https://secure.comodo.net/CPS0FEmbedded OLE package script
    • http://ocsp.comodoca.com0Embedded OLE package script
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://ocsp.thawte.com0In document text (OLE body)
    • http://www.chiark.greenend.org.uk/~sgtatham/putty/Embedded OLE package script
    • http://schemas.microsoft.com/SMI/2005/WindowsSettingsEmbedded OLE package script
    • http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
    • http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0wEmbedded OLE package script
    • http://crt.comodoca.com/COMODOSHA256CodeSigningCA.crt0$Embedded OLE package script
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://www.chiark.greenend.org.uk/~sgtatham/putty/0In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000044a1.exe embedded-pe Office MZ+PE at offset 0x44A1 837983 bytes
SHA-256: 208823bf896370fa3bfe6b13ad6e975b5c4b6392e65c1c5f4aeb833e0dfe38df
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteA, GetProcAddress, CreateProcessA, CreateThread, LoadLibraryA
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1619344815/Ole10Native 829757 bytes
SHA-256: f1f59f977d920b61f0dc70f71d642c950cd048ddbbe6da301c6f3996c58be2de
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteA, GetProcAddress, CreateProcessA, CreateThread, LoadLibraryA