MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing an embedded executable payload. Heuristics indicate exploitation of CVE-2012-1856 via MSComctlLib.Toolbar.2, which is a known method for client-side code execution. The large slack space and appended payload suggest the document is designed to deliver a secondary stage.
Heuristics 6
-
MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
-
ClamAV: Doc.Exploit.Agent-1388627 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.Agent-1388627
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00002C50 90 nop 00002C51 90 nop 00002C52 90 nop 00002C53 90 nop 00002C54 90 nop 00002C55 90 nop 00002C56 90 nop 00002C57 90 nop 00002C58 90 nop 00002C59 90 nop 00002C5A 90 nop 00002C5B 90 nop 00002C5C 90 nop 00002C5D 90 nop 00002C5E 90 nop 00002C5F 90 nop 00002C60 90 nop 00002C61 90 nop 00002C62 90 nop 00002C63 90 nop 00002C64 90 nop 00002C65 90 nop 00002C66 90 nop 00002C67 90 nop 00002C68 0000 add byte ptr [eax], al 00002C6A 0000 add byte ptr [eax], al 00002C6C 0000 add byte ptr [eax], al 00002C6E 0000 add byte ptr [eax], al 00002C70 0000 add byte ptr [eax], al 00002C72 0000 add byte ptr [eax], al 00002C74 800000 add byte ptr [eax], 0 00002C77 800000 add byte ptr [eax], 0 00002C7A 008080008000 add byte ptr [eax + 0x800080], al 00002C80 0000 add byte ptr [eax], al 00002C82 800080 add byte ptr [eax], 0x80 00002C85 0080800000c0 add byte ptr [eax - 0x3fffff80], al 00002C8B c0c000 rol al, 0 00002C8E 808080000000ff add byte ptr [eax + 0x80], 0xff 00002C95 0000 add byte ptr [eax], al 00002C97 ff00 inc dword ptr [eax] 00002C99 0000 add byte ptr [eax], al 00002C9B ff .byte 0xff 00002C9C ff00 inc dword ptr [eax] 00002C9E ff00 inc dword ptr [eax] 00002CA0 0000 add byte ptr [eax], al 00002CA2 ff00 inc dword ptr [eax] 00002CA4 ff00 inc dword ptr [eax] 00002CA6 ff .byte 0xff 00002CA7 ff00 inc dword ptr [eax] 00002CA9 00ff add bh, bh 00002CAB ff .byte 0xff 00002CAC ff00 inc dword ptr [eax] 00002CAE ff .byte 0xff 00002CAF ff .byte 0xff
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 221,213 bytes but its declared streams total only 20,824 bytes — 200,389 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.