Buzus Office (OLE) / .DOC malware analysis — malicious · 3a835eecb93bba43

MALICIOUS

Office (OLE) / .DOC

146.5 KB Created: 2009-01-20 08:59:13 Authoring application: Microsoft Office Word

MD5: 1931595eda38cfc0999eb4a8c3c4eae1 SHA-1: fc590584d897977c0a4f1b114142d62791715484 SHA-256: 3a835eecb93bba4394a713d57c466a0d42cb3d5e2cf3407737a2422efb1a2062

620 Risk Score

Malware Insights

Buzus · confidence 95%

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32 T1105 Ingress Tool Transfer T1071.001 Web Protocols

The sample is a malicious Microsoft Word document that exploits CVE-2008-2244 to drop an embedded PE executable. The heuristics indicate the use of WinExec, CreateProcess, WriteProcessMemory, LoadLibrary, and GetProcAddress, suggesting the execution of the embedded payload. ClamAV identifies the embedded artifact as Win.Trojan.Buzus-4137, confirming the Buzus family. The document body contains embedded OLE objects, which is typical for this type of exploit.

Heuristics 14

CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244

Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Trojan.Buzus-4137 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Buzus-4137
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 150,016 bytes but its declared streams total only 34,365 bytes — 115,651 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000bc00.exe` `b12bf4080a57cedfa5fa40fda1f89d09afd2547ae1c58d3916c5ddf60fb2b48f`	embedded-pe	Office MZ+PE at offset 0xBC00	101888 bytes
Detection ClamAV: Win.Trojan.Buzus-4137 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.