Win.Trojan.Softpulse-629 — Office (OLE) malware analysis

Static analysis result for SHA-256 6281b3f987f62d11…

MALICIOUS

Office (OLE)

897.5 KB Created: 2017-05-03 08:15:00 Authoring application: Microsoft Office Word First seen: 2017-09-14
MD5: 1d3a12c95161d2f5e97ad9562b7834ca SHA-1: e56c539339e6e6999e791187b25e59b9eea1c9d3 SHA-256: 6281b3f987f62d11ef7350dcc1872c68e1dac34bc55b840aa4682c986b46019d
542 Risk Score

Malware Insights

Win.Trojan.Softpulse-629 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability, to execute an embedded PE executable. The embedded executable was detected by ClamAV as Win.Trojan.Softpulse-629. The document body contains a lure indicating a package delivery, consistent with social engineering tactics.

Heuristics 12

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Trojan.Softpulse-629 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Softpulse-629
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00005972  64a130000000      mov eax, dword ptr fs:[0x30]
00005978  8a4002            mov al, byte ptr [eax + 2]
0000597B  8845ff            mov byte ptr [ebp - 1], al
0000597E  807dff00          cmp byte ptr [ebp - 1], 0
00005982  0f95c0            setne al
00005985  c9                leave
00005986  c3                ret
00005987  68cc020000        push 0x2cc
0000598C  b84ca54100        mov eax, 0x41a54c
00005991  e85a7d0000        call 0xd6f0
00005996  bf04010000        mov edi, 0x104
0000599B  57                push edi
0000599C  8d85e4fdffff      lea eax, [ebp - 0x21c]
000059A2  33db              xor ebx, ebx
000059A4  50                push eax
000059A5  895dfc            mov dword ptr [ebp - 4], ebx
000059A8  8b35b4b04100      mov esi, dword ptr [0x41b0b4]
000059AE  53                push ebx
000059AF  ffd6              call esi
000059B1  57                push edi
000059B2  8d85e4fdffff      lea eax, [ebp - 0x21c]
000059B8  50                push eax
000059B9  53                push ebx
000059BA  ffd6              call esi
000059BC  3bc3              cmp eax, ebx
000059BE  0f8486000000      je 0x5a4a
000059C4  8d85e4fdffff      lea eax, [ebp - 0x21c]
000059CA  50                push eax
000059CB  ff157cb14100      call dword ptr [0x41b17c]
000059D1  50                push eax
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • http://sf.symcd.com0&In document text (OLE body)
    • http://crl.verisign.com/pca3.crl0In document text (OLE body)
    • https://www.verisign.com/cps0In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif04In document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • http://sf.symcb.com/sf.crl0fIn document text (OLE body)
    • https://d.symcb.com/cps0%In document text (OLE body)
    • https://d.symcb.com/rpa0In document text (OLE body)
    • http://sf.symcb.com/sf.crt0In document text (OLE body)
    • https://www.verisign.com/cps0*In document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://crl.verisign.com/pca3-g5.crl04In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004714.exe embedded-pe Office MZ+PE at offset 0x4714 900844 bytes
SHA-256: 2b4c415f0e4a615e1241b6db959899a8b618ddaf782acd98b0b98cafe066385a
Detection
ClamAV: Win.Trojan.Softpulse-629
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CREATEPROCESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: VirtualAlloc, VirtualAllocEx, CreateProcessA, WriteProcessMemory, LoadLibraryW, GetProcAddress Carved artifact entropy is 7.80, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1555316173/Ole10Native 891254 bytes
SHA-256: 170abdaeea9a6655a13b7ac4d562806ea57635adc49f08c5f4369361b9c0ddc8
Detection
ClamAV: Win.Trojan.Softpulse-629
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CREATEPROCESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: VirtualAlloc, VirtualAllocEx, CreateProcessA, WriteProcessMemory, LoadLibraryW, GetProcAddress Carved artifact entropy is 7.80, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.