MALICIOUS
762
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to drop and execute a PE file. Heuristics indicate the use of APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, suggesting the embedded executable is designed to perform malicious actions. The document also contains a lure to copy/paste content into a shell, further indicating malicious intent.
Heuristics 17
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Doc.Dropper.Agent-6507552-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6507552-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00083092 90 nop 00083093 90 nop 00083094 90 nop 00083095 90 nop 00083096 90 nop 00083097 90 nop 00083098 90 nop 00083099 90 nop 0008309A 90 nop 0008309B 90 nop 0008309C 90 nop 0008309D 90 nop 0008309E 90 nop 0008309F 90 nop 000830A0 90 nop 000830A1 90 nop 000830A2 90 nop 000830A3 90 nop 000830A4 90 nop 000830A5 90 nop 000830A6 90 nop 000830A7 90 nop 000830A8 90 nop 000830A9 90 nop 000830AA 90 nop 000830AB 90 nop 000830AC 90 nop 000830AD 90 nop 000830AE 90 nop 000830AF 90 nop 000830B0 90 nop 000830B1 90 nop 000830B2 90 nop 000830B3 90 nop 000830B4 90 nop 000830B5 90 nop 000830B6 90 nop 000830B7 90 nop 000830B8 90 nop 000830B9 90 nop 000830BA 90 nop 000830BB 90 nop 000830BC 90 nop 000830BD 90 nop 000830BE 90 nop 000830BF 90 nop 000830C0 90 nop 000830C1 90 nop 000830C2 90 nop 000830C3 90 nop 000830C4 90 nop 000830C5 90 nop 000830C6 90 nop 000830C7 90 nop 000830C8 90 nop 000830C9 90 nop 000830CA 90 nop 000830CB 90 nop 000830CC 90 nop 000830CD 90 nop 000830CE 90 nop 000830CF 90 nop 000830D0 90 nop 000830D1 90 nop 000830D2 90 nop 000830D3 90 nop 000830D4 90 nop 000830D5 90 nop 000830D6 90 nop 000830D7 90 nop 000830D8 90 nop 000830D9 90 nop 000830DA 90 nop 000830DB 90 nop 000830DC 90 nop 000830DD 90 nop 000830DE 90 nop 000830DF 90 nop 000830E0 90 nop 000830E1 90 nop 000830E2 90 nop 000830E3 90 nop 000830E4 90 nop 000830E5 90 nop 000830E6 90 nop 000830E7 90 nop 000830E8 90 nop 000830E9 90 nop 000830EA 90 nop 000830EB 90 nop 000830EC 90 nop 000830ED 90 nop 000830EE 90 nop 000830EF 90 nop 000830F0 90 nop 000830F1 90 nop
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00083066 e800000000 call 0x8306b 0008306B 58 pop eax 0008306C 4a dec edx 0008306D ffc2 inc edx 0008306F 89d8 mov eax, ebx 00083071 f7d8 neg eax 00083073 0fc1c9 xadd ecx, ecx 00083076 eb01 jmp 0x83079 00083078 90 nop 00083079 0fc1d0 xadd eax, edx 0008307C e802000000 call 0x83083 00083081 90 nop 00083082 90 nop 00083083 58 pop eax 00083084 6afe push -2 00083086 e84d13467c call 0x7c4e43d8 0008308B 6a00 push 0 0008308D e8a6b9477c call 0x7c4fea38 00083092 90 nop 00083093 90 nop 00083094 90 nop 00083095 90 nop 00083096 90 nop 00083097 90 nop 00083098 90 nop 00083099 90 nop 0008309A 90 nop 0008309B 90 nop 0008309C 90 nop 0008309D 90 nop 0008309E 90 nop 0008309F 90 nop 000830A0 90 nop 000830A1 90 nop 000830A2 90 nop 000830A3 90 nop 000830A4 90 nop 000830A5 90 nop 000830A6 90 nop 000830A7 90 nop 000830A8 90 nop 000830A9 90 nop 000830AA 90 nop 000830AB 90 nop 000830AC 90 nop 000830AD 90 nop 000830AE 90 nop 000830AF 90 nop 000830B0 90 nop 000830B1 90 nop 000830B2 90 nop 000830B3 90 nop 000830B4 90 nop 000830B5 90 nop 000830B6 90 nop 000830B7 90 nop 000830B8 90 nop 000830B9 90 nop 000830BA 90 nop 000830BB 90 nop 000830BC 90 nop 000830BD 90 nop 000830BE 90 nop 000830BF 90 nop 000830C0 90 nop 000830C1 90 nop 000830C2 90 nop 000830C3 90 nop 000830C4 90 nop 000830C5 90 nop
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 700,323 bytes but its declared streams total only 18,208 bytes — 682,115 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upx.tsx.org In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 521780 bytes |
SHA-256: 897d24c8494c6060cf9cdc3aaedaf2b7ec1108913c4a944648c2e038fd76f89a |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 678294 bytes |
SHA-256: 40720b9071b548c7659ebfc1ab0b7911a462fd22571710df907fb2ff85087a3e |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.