MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document that contains embedded malicious content. Static analysis detected critical vulnerabilities (CVE-2007-3899 and CVE-2008-2244) that are exploited to drop a PE executable. The document body appears to be a lure, discussing a fire department competition, which is likely a distraction from the embedded malicious payload.
Heuristics 5
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 184,858 bytes but its declared streams total only 18,208 bytes — 166,650 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b81a.exe |
embedded-pe | Office MZ+PE at offset 0x2B81A | 6656 bytes |
SHA-256: 2816cf29696d06f66a7dcf57e2add51eaf6515c8a51ee58ef0a97cc248d685a6 |
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 162829 bytes |
SHA-256: b1c3e1c0a7186f747c2762809cdf33c49e564f4d72a492516392fa4f4c393e48 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.