Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a86f5609894f645…

MALICIOUS

Office (OLE)

804.1 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 2e42122a6ce442e06a2c31b6a2bf48f1 SHA-1: 4e9ecc0dc3359362bac37aec029d7e18e37f9d1a SHA-256: 4a86f5609894f64589cebc129c61a908fa8090e4024279131709aefa6c406001
822 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is a Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE file. The embedded executable is detected by ClamAV as Win.Malware.Virlock-6913537-0. The document also contains a reference to an unknown reputation URL, which may be used for further payload delivery or C2 communication.

Heuristics 18

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Virlock-6913537-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Virlock-6913537-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0007150E  90                nop
    0007150F  90                nop
    00071510  90                nop
    00071511  90                nop
    00071512  90                nop
    00071513  90                nop
    00071514  90                nop
    00071515  90                nop
    00071516  90                nop
    00071517  90                nop
    00071518  90                nop
    00071519  90                nop
    0007151A  90                nop
    0007151B  90                nop
    0007151C  90                nop
    0007151D  90                nop
    0007151E  90                nop
    0007151F  90                nop
    00071520  90                nop
    00071521  90                nop
    00071522  90                nop
    00071523  90                nop
    00071524  90                nop
    00071525  90                nop
    00071526  90                nop
    00071527  90                nop
    00071528  90                nop
    00071529  90                nop
    0007152A  90                nop
    0007152B  90                nop
    0007152C  90                nop
    0007152D  90                nop
    0007152E  90                nop
    0007152F  90                nop
    00071530  90                nop
    00071531  90                nop
    00071532  90                nop
    00071533  90                nop
    00071534  90                nop
    00071535  90                nop
    00071536  90                nop
    00071537  90                nop
    00071538  90                nop
    00071539  90                nop
    0007153A  90                nop
    0007153B  90                nop
    0007153C  90                nop
    0007153D  90                nop
    0007153E  90                nop
    0007153F  90                nop
    00071540  90                nop
    00071541  90                nop
    00071542  90                nop
    00071543  90                nop
    00071544  90                nop
    00071545  90                nop
    00071546  90                nop
    00071547  90                nop
    00071548  90                nop
    00071549  90                nop
    0007154A  90                nop
    0007154B  90                nop
    0007154C  90                nop
    0007154D  90                nop
    0007154E  90                nop
    0007154F  90                nop
    00071550  90                nop
    00071551  90                nop
    00071552  90                nop
    00071553  90                nop
    00071554  90                nop
    00071555  90                nop
    00071556  90                nop
    00071557  90                nop
    00071558  90                nop
    00071559  90                nop
    0007155A  90                nop
    0007155B  90                nop
    0007155C  90                nop
    0007155D  90                nop
    0007155E  90                nop
    0007155F  90                nop
    00071560  90                nop
    00071561  90                nop
    00071562  90                nop
    00071563  90                nop
    00071564  90                nop
    00071565  90                nop
    00071566  90                nop
    00071567  90                nop
    00071568  90                nop
    00071569  90                nop
    0007156A  90                nop
    0007156B  90                nop
    0007156C  90                nop
    0007156D  90                nop
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    000714F1  e800000000        call 0x714f6
    000714F6  58                pop eax
    000714F7  eb01              jmp 0x714fa
    000714F9  90                nop
    000714FA  f7c7c7a6da76      test edi, 0x76daa6c7
    00071500  6afe              push -2
    00071502  e85113197c        call 0x7c202858
    00071507  6a00              push 0
    00071509  e8aab91a7c        call 0x7c21ceb8
    0007150E  90                nop
    0007150F  90                nop
    00071510  90                nop
    00071511  90                nop
    00071512  90                nop
    00071513  90                nop
    00071514  90                nop
    00071515  90                nop
    00071516  90                nop
    00071517  90                nop
    00071518  90                nop
    00071519  90                nop
    0007151A  90                nop
    0007151B  90                nop
    0007151C  90                nop
    0007151D  90                nop
    0007151E  90                nop
    0007151F  90                nop
    00071520  90                nop
    00071521  90                nop
    00071522  90                nop
    00071523  90                nop
    00071524  90                nop
    00071525  90                nop
    00071526  90                nop
    00071527  90                nop
    00071528  90                nop
    00071529  90                nop
    0007152A  90                nop
    0007152B  90                nop
    0007152C  90                nop
    0007152D  90                nop
    0007152E  90                nop
    0007152F  90                nop
    00071530  90                nop
    00071531  90                nop
    00071532  90                nop
    00071533  90                nop
    00071534  90                nop
    00071535  90                nop
    00071536  90                nop
    00071537  90                nop
    00071538  90                nop
    00071539  90                nop
    0007153A  90                nop
    0007153B  90                nop
    0007153C  90                nop
    0007153D  90                nop
    0007153E  90                nop
    0007153F  90                nop
    00071540  90                nop
    00071541  90                nop
    00071542  90                nop
    00071543  90                nop
    00071544  90                nop
    00071545  90                nop
    00071546  90                nop
    00071547  90                nop
    00071548  90                nop
    00071549  90                nop
    0007154A  90                nop
    0007154B  90                nop
    0007154C  90                nop
    0007154D  90                nop
    0007154E  90                nop
    0007154F  90                nop
    00071550  90                nop
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 823,389 bytes but its declared streams total only 18,208 bytes — 805,181 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://upx.tsx.org In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 644846 bytes
SHA-256: c3457c06bc64152365cb07cab622f40fde86f6d66d516e27444c63263caeab94
Detection
ClamAV: Win.Malware.Virlock-6913537-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 801360 bytes
SHA-256: 786b0a19645b1bb029ee35db620c7badd1613dbf6d7824a16eeef80bdc3e6a6c
Detection
ClamAV: Win.Malware.Virlock-6913537-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx