MALICIOUS
682
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059 Command and Scripting Interpreter
This OLE document exploits known vulnerabilities (CVE-2007-3899, CVE-2008-2244) to embed and execute a PE file. Heuristics indicate the use of APIs like CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the embedded executable is designed to load and run further malicious code. The ClamAV detection of 'Win.Malware.Razy-9886340-0' further confirms its malicious nature.
Heuristics 15
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Razy-9886340-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00050D79 90 nop 00050D7A 90 nop 00050D7B 90 nop 00050D7C 90 nop 00050D7D 90 nop 00050D7E 90 nop 00050D7F 90 nop 00050D80 90 nop 00050D81 90 nop 00050D82 90 nop 00050D83 90 nop 00050D84 90 nop 00050D85 90 nop 00050D86 90 nop 00050D87 90 nop 00050D88 90 nop 00050D89 90 nop 00050D8A 90 nop 00050D8B 90 nop 00050D8C 90 nop 00050D8D 90 nop 00050D8E 90 nop 00050D8F 90 nop 00050D90 90 nop 00050D91 90 nop 00050D92 90 nop 00050D93 90 nop 00050D94 90 nop 00050D95 90 nop 00050D96 90 nop 00050D97 90 nop 00050D98 90 nop 00050D99 90 nop 00050D9A 90 nop 00050D9B 90 nop 00050D9C 90 nop 00050D9D 90 nop 00050D9E 90 nop 00050D9F 90 nop 00050DA0 90 nop 00050DA1 90 nop 00050DA2 90 nop 00050DA3 90 nop 00050DA4 90 nop 00050DA5 90 nop 00050DA6 90 nop 00050DA7 90 nop 00050DA8 90 nop 00050DA9 90 nop 00050DAA 90 nop 00050DAB 90 nop 00050DAC 90 nop 00050DAD 90 nop 00050DAE 90 nop 00050DAF 90 nop 00050DB0 90 nop 00050DB1 90 nop 00050DB2 90 nop 00050DB3 90 nop 00050DB4 90 nop 00050DB5 90 nop 00050DB6 90 nop 00050DB7 90 nop 00050DB8 90 nop 00050DB9 90 nop 00050DBA 90 nop 00050DBB 90 nop 00050DBC 90 nop 00050DBD 90 nop 00050DBE 90 nop 00050DBF 90 nop 00050DC0 90 nop 00050DC1 90 nop 00050DC2 90 nop 00050DC3 90 nop 00050DC4 90 nop 00050DC5 90 nop 00050DC6 90 nop 00050DC7 90 nop 00050DC8 90 nop 00050DC9 90 nop 00050DCA 90 nop 00050DCB 90 nop 00050DCC 90 nop 00050DCD 90 nop 00050DCE 90 nop 00050DCF 90 nop 00050DD0 90 nop 00050DD1 90 nop 00050DD2 90 nop 00050DD3 90 nop 00050DD4 90 nop 00050DD5 90 nop 00050DD6 90 nop 00050DD7 90 nop 00050DD8 90 nop
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00050D4F e800000000 call 0x50d54 00050D54 58 pop eax 00050D55 eb01 jmp 0x50d58 00050D57 90 nop 00050D58 baeb1305e6 mov edx, 0xe60513eb 00050D5D e802000000 call 0x50d64 00050D62 90 nop 00050D63 90 nop 00050D64 59 pop ecx 00050D65 f7c01cfcc3ca test eax, 0xcac3fc1c 00050D6B 6afe push -2 00050D6D e84d13437c call 0x7c4820bf 00050D72 6a00 push 0 00050D74 e8a6b9447c call 0x7c49c71f 00050D79 90 nop 00050D7A 90 nop 00050D7B 90 nop 00050D7C 90 nop 00050D7D 90 nop 00050D7E 90 nop 00050D7F 90 nop 00050D80 90 nop 00050D81 90 nop 00050D82 90 nop 00050D83 90 nop 00050D84 90 nop 00050D85 90 nop 00050D86 90 nop 00050D87 90 nop 00050D88 90 nop 00050D89 90 nop 00050D8A 90 nop 00050D8B 90 nop 00050D8C 90 nop 00050D8D 90 nop 00050D8E 90 nop 00050D8F 90 nop 00050D90 90 nop 00050D91 90 nop 00050D92 90 nop 00050D93 90 nop 00050D94 90 nop 00050D95 90 nop 00050D96 90 nop 00050D97 90 nop 00050D98 90 nop 00050D99 90 nop 00050D9A 90 nop 00050D9B 90 nop 00050D9C 90 nop 00050D9D 90 nop 00050D9E 90 nop 00050D9F 90 nop 00050DA0 90 nop 00050DA1 90 nop 00050DA2 90 nop 00050DA3 90 nop 00050DA4 90 nop 00050DA5 90 nop 00050DA6 90 nop 00050DA7 90 nop 00050DA8 90 nop 00050DA9 90 nop 00050DAA 90 nop 00050DAB 90 nop 00050DAC 90 nop 00050DAD 90 nop 00050DAE 90 nop
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 620,737 bytes but its declared streams total only 18,208 bytes — 602,529 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://microsoft.com0 In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 442194 bytes |
SHA-256: db6c6d8f0870cd895ae1e2f1970329d706be77eb8794778c6d4b2873dbb774bc |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateFileA, kernel32.dll, KERNEL32.DLL, VirtualAlloc
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 598708 bytes |
SHA-256: f5dfb1cea3888e0a7fdb97fba1131aeafbf55cfb2956148a703923669a9982dc |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateFileA, kernel32.dll, KERNEL32.DLL, VirtualAlloc
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.