MALICIOUS
700
Risk Score
Heuristics 15
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Win.Trojan.Enfal-78 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Enfal-78
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytesDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 83% of instructions — a sled or padding/filler run, not program logic).
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 238,340 bytes but its declared streams total only 31,351 bytes — 206,989 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0001a400.exe |
embedded-pe | Office MZ+PE at offset 0x1A400 | 130820 bytes |
SHA-256: 5c7efabae86cf018cce877e0f18df4d89923b05662effea2fb2781acfff46728 |
|||
|
Detection
ClamAV:
Win.Trojan.Enfal-78
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_CMD, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, InternetOpenA, LoadLibraryA, GetProcAddress, CreateFileA Static shellcode analysis recovered command string(s): cmd.exe /c ", cmd.exe /c, cmd.exe
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.