Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 411a5bdd88d03810…

MALICIOUS

Office (OLE)

88.0 KB Created: 2009-11-12 07:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 3408c5e151c61a288cdd9effcd1d8bf5 SHA-1: 4da6e6aa5ecc7b25058fdb26372f0b10317464c5 SHA-256: 411a5bdd88d03810e55b742a16f459e1ef08fae461bdf30fcca6634998999f9f
400 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a malicious Microsoft Word document that exploits CVE-2008-2244 to execute a dropped PE-like payload. The embedded executable, detected by ClamAV as Win.Trojan.Agent-1266464, indicates the document's primary purpose is to deliver malware. The document body text appears to be unrelated legal text, suggesting it is a lure.

Heuristics 7

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Dropper.Agent-6546842-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6546842-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 90,112 bytes but its declared streams total only 16,553 bytes — 73,559 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004e00.exe embedded-pe Office MZ+PE at offset 0x4E00 70144 bytes
SHA-256: 15e4f091971edf19ae2026ee3226ce3e6144fe981e10427106a03288f98e8dcc
Detection
ClamAV: Win.Trojan.Agent-1266464
Obfuscation or payload: unlikely