MALICIOUS
400
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file is a malicious Microsoft Word document that exploits CVE-2008-2244 to execute a dropped PE-like payload. The embedded executable, detected by ClamAV as Win.Trojan.Agent-1266464, indicates the document's primary purpose is to deliver malware. The document body text appears to be unrelated legal text, suggesting it is a lure.
Heuristics 7
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Doc.Dropper.Agent-6546842-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546842-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 90,112 bytes but its declared streams total only 16,553 bytes — 73,559 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00004e00.exe |
embedded-pe | Office MZ+PE at offset 0x4E00 | 70144 bytes |
SHA-256: 15e4f091971edf19ae2026ee3226ce3e6144fe981e10427106a03288f98e8dcc |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1266464
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.