MALICIOUS
482
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute a dropped payload. The embedded Ole10Native package contains a script that attempts to download and execute a second-stage payload from suspicious URLs. The ClamAV detection indicates the family is Win.Packed.Dorifel-9866328-0.
Heuristics 10
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
ClamAV: Win.Packed.Dorifel-9866328-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Packed.Dorifel-9866328-0
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00097EF9 e800000000 call 0x97efe 00097EFE 58 pop eax 00097EFF 055a0b0000 add eax, 0xb5a 00097F04 8b30 mov esi, dword ptr [eax] 00097F06 03f0 add esi, eax 00097F08 2bc0 sub eax, eax 00097F0A 8bfe mov edi, esi 00097F0C 66ad lodsw ax, word ptr [esi] 00097F0E c1e00c shl eax, 0xc 00097F11 8bc8 mov ecx, eax 00097F13 50 push eax 00097F14 ad lodsd eax, dword ptr [esi] 00097F15 2bc8 sub ecx, eax 00097F17 03f1 add esi, ecx 00097F19 8bc8 mov ecx, eax 00097F1B 57 push edi 00097F1C 51 push ecx 00097F1D 49 dec ecx 00097F1E 8a443906 mov al, byte ptr [ecx + edi + 6] 00097F22 880431 mov byte ptr [ecx + esi], al 00097F25 75f6 jne 0x97f1d 00097F27 2bc0 sub eax, eax 00097F29 ac lodsb al, byte ptr [esi] 00097F2A 8bc8 mov ecx, eax 00097F2C 80e1f0 and cl, 0xf0 00097F2F 240f and al, 0xf 00097F31 c1e10c shl ecx, 0xc 00097F34 8ae8 mov ch, al 00097F36 ac lodsb al, byte ptr [esi] 00097F37 0bc8 or ecx, eax 00097F39 51 push ecx 00097F3A 02cd add cl, ch 00097F3C bd00fdffff mov ebp, 0xfffffd00 00097F41 d3e5 shl ebp, cl 00097F43 59 pop ecx 00097F44 58 pop eax 00097F45 8bdc mov ebx, esp 00097F47 8da46c90f1ffff lea esp, [esp + ebp*2 - 0xe70] 00097F4E 51 push ecx 00097F4F 2bc9 sub ecx, ecx 00097F51 51 push ecx 00097F52 51 push ecx 00097F53 8bcc mov ecx, esp 00097F55 51 push ecx 00097F56 668b17 mov dx, word ptr [edi]
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.thawte.com0 Embedded OLE package script
- http://ts-ocsp.ws.symantec.com07Embedded OLE package script
- http://crl.thawte.com/ThawteTimestampingCA.crl0Embedded OLE package script
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0Embedded OLE package script
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0Embedded OLE package script
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1480912115/Ole10Native | 680999 bytes |
SHA-256: 1d4bcc63dfa37530c1c9da93763595eec16276fca2cfef8ebf3758a90c36c873 |
|||
|
Detection
ClamAV:
Win.Packed.Dorifel-9866328-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, shell32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.