Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3aaf5b0e32efb1b4…

MALICIOUS

Office (OLE)

84.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0 First seen: 2015-09-29
MD5: 833098783b75d0b85c422d7e4644d6a0 SHA-1: 528f58ffe6a3a4c5c275eb983ca2ff06e29b8bda SHA-256: 3aaf5b0e32efb1b4e2dd2ea65c5fbc0378187b17425e905f0bb45363631f5bb7
340 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. The critical CVE_2008_2244 heuristic indicates exploitation of a record-parsing vulnerability in Word. The presence of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress API references suggests the embedded executable is likely a payload designed for execution. The document itself appears to be malformed or obfuscated, with significant slack space, further indicating malicious intent.

Heuristics 8

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00001900  90                nop
00001901  90                nop
00001902  90                nop
00001903  90                nop
00001904  90                nop
00001905  90                nop
00001906  90                nop
00001907  90                nop
00001908  90                nop
00001909  90                nop
0000190A  90                nop
0000190B  90                nop
0000190C  90                nop
0000190D  90                nop
0000190E  90                nop
0000190F  90                nop
00001910  90                nop
00001911  90                nop
00001912  90                nop
00001913  90                nop
00001914  90                nop
00001915  90                nop
00001916  90                nop
00001917  90                nop
00001918  90                nop
00001919  90                nop
0000191A  90                nop
0000191B  90                nop
0000191C  90                nop
0000191D  90                nop
0000191E  90                nop
0000191F  90                nop
00001920  57                push edi
00001921  5b                pop ebx
00001922  81ebf0150000      sub ebx, 0x15f0
00001928  8bd3              mov edx, ebx
0000192A  4a                dec edx
0000192B  33c9              xor ecx, ecx
0000192D  b9a7030000        mov ecx, 0x3a7
00001932  80340a98          xor byte ptr [edx + ecx], 0x98
00001936  e2fa              loop 0x1932
00001938  19749899          sbb dword ptr [eax + ebx*4 - 0x67], esi
0000193C  98                cwde
0000193D  98                cwde
0000193E  13741b5d          adc esi, dword ptr [ebx + ebx + 0x5d]
00001942  9c                pushfd
00001943  1317              adc edx, dword ptr [edi]
00001945  50                push eax
00001946  9a989811d5c013    lcall 0x13c0, 0xd5119898
0000194D  17                pop ss
0000194E  209a989811d5      and byte ptr [edx - 0x2aee6768], bl
00001954  cc                int3
00001955  195f40            sbb dword ptr [edi + 0x40], ebx
00001958  99                cdq
00001959  98                cwde
0000195A  98                cwde
0000195B  135711            adc edx, dword ptr [edi + 0x11]
0000195E  d5f8              aad 0xf8
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,528 bytes but its declared streams total only 16,486 bytes — 70,042 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004c00.exe embedded-pe Office MZ+PE at offset 0x4C00 67072 bytes
SHA-256: b5a7a208e3e3a6351cd22490582179b03232f66d283c3defbd64cc358d6d48a8

Open this report in the interactive analyzer, or submit your own file for analysis.