MALICIOUS
822
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is a Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE file. The embedded executable is detected by ClamAV as Win.Malware.Virlock-6913537-0. The document also contains a reference to an unknown reputation URL, which may be used for further payload delivery or C2 communication.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Virlock-6913537-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Virlock-6913537-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly0007150E 90 nop 0007150F 90 nop 00071510 90 nop 00071511 90 nop 00071512 90 nop 00071513 90 nop 00071514 90 nop 00071515 90 nop 00071516 90 nop 00071517 90 nop 00071518 90 nop 00071519 90 nop 0007151A 90 nop 0007151B 90 nop 0007151C 90 nop 0007151D 90 nop 0007151E 90 nop 0007151F 90 nop 00071520 90 nop 00071521 90 nop 00071522 90 nop 00071523 90 nop 00071524 90 nop 00071525 90 nop 00071526 90 nop 00071527 90 nop 00071528 90 nop 00071529 90 nop 0007152A 90 nop 0007152B 90 nop 0007152C 90 nop 0007152D 90 nop 0007152E 90 nop 0007152F 90 nop 00071530 90 nop 00071531 90 nop 00071532 90 nop 00071533 90 nop 00071534 90 nop 00071535 90 nop 00071536 90 nop 00071537 90 nop 00071538 90 nop 00071539 90 nop 0007153A 90 nop 0007153B 90 nop 0007153C 90 nop 0007153D 90 nop 0007153E 90 nop 0007153F 90 nop 00071540 90 nop 00071541 90 nop 00071542 90 nop 00071543 90 nop 00071544 90 nop 00071545 90 nop 00071546 90 nop 00071547 90 nop 00071548 90 nop 00071549 90 nop 0007154A 90 nop 0007154B 90 nop 0007154C 90 nop 0007154D 90 nop 0007154E 90 nop 0007154F 90 nop 00071550 90 nop 00071551 90 nop 00071552 90 nop 00071553 90 nop 00071554 90 nop 00071555 90 nop 00071556 90 nop 00071557 90 nop 00071558 90 nop 00071559 90 nop 0007155A 90 nop 0007155B 90 nop 0007155C 90 nop 0007155D 90 nop 0007155E 90 nop 0007155F 90 nop 00071560 90 nop 00071561 90 nop 00071562 90 nop 00071563 90 nop 00071564 90 nop 00071565 90 nop 00071566 90 nop 00071567 90 nop 00071568 90 nop 00071569 90 nop 0007156A 90 nop 0007156B 90 nop 0007156C 90 nop 0007156D 90 nop
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly000714F1 e800000000 call 0x714f6 000714F6 58 pop eax 000714F7 eb01 jmp 0x714fa 000714F9 90 nop 000714FA f7c7c7a6da76 test edi, 0x76daa6c7 00071500 6afe push -2 00071502 e85113197c call 0x7c202858 00071507 6a00 push 0 00071509 e8aab91a7c call 0x7c21ceb8 0007150E 90 nop 0007150F 90 nop 00071510 90 nop 00071511 90 nop 00071512 90 nop 00071513 90 nop 00071514 90 nop 00071515 90 nop 00071516 90 nop 00071517 90 nop 00071518 90 nop 00071519 90 nop 0007151A 90 nop 0007151B 90 nop 0007151C 90 nop 0007151D 90 nop 0007151E 90 nop 0007151F 90 nop 00071520 90 nop 00071521 90 nop 00071522 90 nop 00071523 90 nop 00071524 90 nop 00071525 90 nop 00071526 90 nop 00071527 90 nop 00071528 90 nop 00071529 90 nop 0007152A 90 nop 0007152B 90 nop 0007152C 90 nop 0007152D 90 nop 0007152E 90 nop 0007152F 90 nop 00071530 90 nop 00071531 90 nop 00071532 90 nop 00071533 90 nop 00071534 90 nop 00071535 90 nop 00071536 90 nop 00071537 90 nop 00071538 90 nop 00071539 90 nop 0007153A 90 nop 0007153B 90 nop 0007153C 90 nop 0007153D 90 nop 0007153E 90 nop 0007153F 90 nop 00071540 90 nop 00071541 90 nop 00071542 90 nop 00071543 90 nop 00071544 90 nop 00071545 90 nop 00071546 90 nop 00071547 90 nop 00071548 90 nop 00071549 90 nop 0007154A 90 nop 0007154B 90 nop 0007154C 90 nop 0007154D 90 nop 0007154E 90 nop 0007154F 90 nop 00071550 90 nop
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 823,389 bytes but its declared streams total only 18,208 bytes — 805,181 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upx.tsx.org In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 644846 bytes |
SHA-256: c3457c06bc64152365cb07cab622f40fde86f6d66d516e27444c63263caeab94 |
|||
|
Detection
ClamAV:
Win.Malware.Virlock-6913537-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 801360 bytes |
SHA-256: 786b0a19645b1bb029ee35db620c7badd1613dbf6d7824a16eeef80bdc3e6a6c |
|||
|
Detection
ClamAV:
Win.Malware.Virlock-6913537-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.