Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f9f9d175cf6a85e…

MALICIOUS

Office (OLE)

180.5 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2015-09-27
MD5: 4a44cfea7dab899cb014ed0c21d14e10 SHA-1: bf496277de275be9a6d9127db4bd5c89bac21c6b SHA-256: 5f9f9d175cf6a85e7291924ddc639e290442f344c00d5d5b5bcc840fd7563f44
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains embedded malicious content. Static analysis detected critical vulnerabilities (CVE-2007-3899 and CVE-2008-2244) that are exploited to drop a PE executable. The document body appears to be a lure, discussing a fire department competition, which is likely a distraction from the embedded malicious payload.

Heuristics 5

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 184,858 bytes but its declared streams total only 18,208 bytes — 166,650 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b81a.exe embedded-pe Office MZ+PE at offset 0x2B81A 6656 bytes
SHA-256: 2816cf29696d06f66a7dcf57e2add51eaf6515c8a51ee58ef0a97cc248d685a6
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 162829 bytes
SHA-256: b1c3e1c0a7186f747c2762809cdf33c49e564f4d72a492516392fa4f4c393e48