Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 40157b77a4459e2f…

MALICIOUS

Office (OLE)

480.0 KB Created: 2013-01-15 06:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 458dfb83e62f5836d805c5468fe914b0 SHA-1: c14f2aeae536cc1ddd250e1ef7b84dc3d8591feb SHA-256: 40157b77a4459e2f49914cd3ede7bf239e8606cffd2d6424cefd4716de2a6a96
540 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that exploits CVE-2008-2244 to embed and execute a PE file. Heuristics indicate the presence of Metasploit shellcode and references to Windows API functions like ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, all commonly used by malware. The embedded executable, identified by ClamAV as Win.Trojan.Startpage-444, is the primary payload. The document body, while containing Chinese characters resembling a summons, is likely a lure to trick the user into opening the malicious document.

Heuristics 11

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Trojan.Startpage-444 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Startpage-444
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    00052C88  fc                cld
00052C89  e882000000        call 0x52d10
00052C8E  5f                pop edi
00052C8F  5e                pop esi
00052C90  5b                pop ebx
00052C91  8be5              mov esp, ebp
00052C93  5d                pop ebp
00052C94  c3                ret
00052C95  8d4000            lea eax, [eax]
00052C98  53                push ebx
00052C99  56                push esi
00052C9A  8bd8              mov ebx, eax
00052C9C  3b5324            cmp edx, dword ptr [ebx + 0x24]
00052C9F  7436              je 0x52cd7
00052CA1  8bf2              mov esi, edx
00052CA3  85f6              test esi, esi
00052CA5  7518              jne 0x52cbf
00052CA7  33c0              xor eax, eax
00052CA9  8a4318            mov al, byte ptr [ebx + 0x18]
00052CAC  8b0485b8fa4400    mov eax, dword ptr [eax*4 + 0x44fab8]
00052CB3  50                push eax
00052CB4  a190fd4400        mov eax, dword ptr [0x44fd90]
00052CB9  8b00              mov eax, dword ptr [eax]
00052CBB  ffd0              call eax
00052CBD  8bd0              mov edx, eax
00052CBF  895324            mov dword ptr [ebx + 0x24], edx
00052CC2  c6434401          mov byte ptr [ebx + 0x44], 1
00052CC6  8b4304            mov eax, dword ptr [ebx + 4]
00052CC9  e896060000        call 0x53364
00052CCE  85f6              test esi, esi
00052CD0  7505              jne 0x52cd7
00052CD2  33c0              xor eax, eax
00052CD4  894324            mov dword ptr [ebx + 0x24], eax
00052CD7  5e                pop esi
00052CD8  5b                pop ebx
00052CD9  c3                ret
00052CDA  8bc0              mov eax, eax
00052CDC  3b5028            cmp edx, dword ptr [eax + 0x28]
00052CDF  7413              je 0x52cf4
00052CE1  895028            mov dword ptr [eax + 0x28], edx
00052CE4  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 491,520 bytes but its declared streams total only 47,691 bytes — 443,829 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00010000.exe embedded-pe Office MZ+PE at offset 0x10000 425984 bytes
SHA-256: c80f3fa3ec9d7fce58c1bb56778f7356b5a840cde36bfdf8fb6479835bce52aa
Detection
ClamAV: Win.Trojan.Startpage-444
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess, shell32.dll, ShellExecuteA

Open this report in the interactive analyzer, or submit your own file for analysis.