Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 52fcf35d99c73eb6…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-04-15 21:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-11
MD5: 3562699e596f3b73d40c17420d891860 SHA-1: b10598f2d842373a14e97ee130d39c07921d7ef6 SHA-256: 52fcf35d99c73eb68af1101032495d0fb81f7abc638f1d42791ad8973f201059
208 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a legacy auto-exec macro marker and an embedded PE executable. Critical heuristics indicate exploitation of CVE-2008-2244, which is known to drop a PE payload. The presence of the embedded executable confirms this payload delivery mechanism. The autoOpen macro suggests an attempt to automatically execute the embedded payload upon opening the document.

Heuristics 6

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 37,888 bytes but its declared streams total only 16,490 bytes — 21,398 bytes (56%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 278 bytes
SHA-256: 8e86cfa19bb60cbea4d6c72aaaca04c24285d8fc999804b20325a7efbb50af4e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Blink"
embedded_office_00007400.exe embedded-pe Office MZ+PE at offset 0x7400 8192 bytes
SHA-256: dcd63bfe778fb90f62aff754f3361f1ae08ad382808a59c47a3adf6897830cf5

Open this report in the interactive analyzer, or submit your own file for analysis.