MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros and an embedded PE executable. Critical heuristics indicate exploitation of CVE-2008-2244 and the presence of an embedded executable, suggesting the document is designed to exploit this vulnerability to deliver a secondary payload. No document body text was available for analysis, but the presence of the embedded executable and the CVE exploit strongly indicate malicious intent.
Heuristics 9
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 130,952 bytes but its declared streams total only 21,704 bytes — 109,248 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
Attempted x86 opcode disassembly00000A02 61 popal 00000A03 61 popal 00000A04 61 popal 00000A05 61 popal 00000A06 61 popal 00000A07 61 popal 00000A08 61 popal 00000A09 61 popal 00000A0A 61 popal 00000A0B 61 popal 00000A0C 61 popal 00000A0D 61 popal 00000A0E 61 popal 00000A0F 61 popal 00000A10 61 popal 00000A11 61 popal 00000A12 61 popal 00000A13 61 popal 00000A14 61 popal 00000A15 61 popal 00000A16 61 popal 00000A17 61 popal 00000A18 61 popal 00000A19 61 popal 00000A1A 61 popal 00000A1B 61 popal 00000A1C 61 popal 00000A1D 61 popal 00000A1E 61 popal 00000A1F 61 popal 00000A20 61 popal 00000A21 61 popal 00000A22 2020 and byte ptr [eax], ah 00000A24 2020 and byte ptr [eax], ah 00000A26 2020 and byte ptr [eax], ah 00000A28 2020 and byte ptr [eax], ah 00000A2A 2020 and byte ptr [eax], ah 00000A2C 2020 and byte ptr [eax], ah 00000A2E 2020 and byte ptr [eax], ah 00000A30 2020 and byte ptr [eax], ah 00000A32 2020 and byte ptr [eax], ah 00000A34 2020 and byte ptr [eax], ah 00000A36 2020 and byte ptr [eax], ah 00000A38 2020 and byte ptr [eax], ah 00000A3A 2020 and byte ptr [eax], ah 00000A3C 2020 and byte ptr [eax], ah 00000A3E 2020 and byte ptr [eax], ah 00000A40 2020 and byte ptr [eax], ah 00000A42 2020 and byte ptr [eax], ah 00000A44 2020 and byte ptr [eax], ah 00000A46 2020 and byte ptr [eax], ah 00000A48 2020 and byte ptr [eax], ah 00000A4A 2020 and byte ptr [eax], ah 00000A4C 2020 and byte ptr [eax], ah 00000A4E 2020 and byte ptr [eax], ah 00000A50 2020 and byte ptr [eax], ah 00000A52 2020 and byte ptr [eax], ah 00000A54 2020 and byte ptr [eax], ah 00000A56 2020 and byte ptr [eax], ah 00000A58 2020 and byte ptr [eax], ah 00000A5A 2020 and byte ptr [eax], ah 00000A5C 2020 and byte ptr [eax], ah 00000A5E 2020 and byte ptr [eax], ah 00000A60 2020 and byte ptr [eax], ah
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 567 bytes |
SHA-256: b561f6842168b0dbd5b95cccbec82c422a6330174acca9c971b70fc752d8f934 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "GifAnimator1, 0, 0, ImageOleLib, GifAnimator" Attribute VB_Control = "GifAnimator11, 0, 1, ImageOleLib, GifAnimator" Private Sub Document_New() MsgBox Now() End Sub Attribute VB_Name = "模块1" Private Sub Document_New() MsgBox Now() End Sub |
|||
embedded_office_00006c00.exe |
embedded-pe | Office MZ+PE at offset 0x6C00 | 103304 bytes |
SHA-256: fc4d3c19feeeeeb87a5606a4bf43b070e5d0849802e51916e3c53ae7f84073b9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.