MALICIOUS
662
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059 Command and Scripting Interpreter
The sample is a Microsoft Word document that exploits CVE-2006-6456 and CVE-2008-2244 to embed and execute a secondary PE executable. The embedded executable was detected by ClamAV as Win.Trojan.Agent-62391. The document also contains a NOP sled and references to LoadLibrary and GetProcAddress APIs, indicating shellcode execution.
Heuristics 13
-
CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Trojan.Agent-62391 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-62391
-
XOR-encoded strings (key 0x45) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0x45: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'InternetOpenA'
Disassembly
Attempted x86 opcode disassembly0003511C 0e push cs 0003511D 0017 add byte ptr [edi], dl 0003511F 0b00 or eax, dword ptr [eax] 00035121 097677 or dword ptr [esi + 0x77], esi 00035124 6b0109 imul eax, dword ptr [ecx], 9 00035127 094504 or dword ptr [ebp + 4], eax 0003512A 0113 add dword ptr [ebx], edx 0003512C 0415 add al, 0x15 0003512E 0c76 or al, 0x76 00035130 776b ja 0x3519d 00035132 2129 and dword ptr [ecx], ebp 00035134 294502 sub dword ptr [ebp + 2], eax 00035137 010c76 add dword ptr [esi + esi*2], ecx 0003513A 776b ja 0x351a7 0003513C 2129 and dword ptr [ecx], ebp 0003513E 294508 sub dword ptr [ebp + 8], eax 00035141 16 push ss 00035142 1306 adc eax, dword ptr [esi] 00035144 17 pop ss 00035145 116b21 adc dword ptr [ebx + 0x21], ebp 00035148 2929 sub dword ptr [ecx], ebp 0003514A 45 inc ebp 0003514B 151604150c adc eax, 0xc150416 00035150 6b0109 imul eax, dword ptr [ecx], 9 00035153 094530 or dword ptr [ebp + 0x30], eax 00035156 37 aaa 00035157 2928 sub dword ptr [eax], ebp 00035159 2a2b sub ch, byte ptr [ebx] 0003515B 6b2129 imul esp, dword ptr [ecx], 0x29 0003515E 294510 sub dword ptr [ebp + 0x10], eax 00035161 16 push ss 00035162 0017 add byte ptr [edi], dl 00035164 7677 jbe 0x351dd 00035166 6b2129 imul esp, dword ptr [ecx], 0x29 00035169 294510 sub dword ptr [ebp + 0x10], eax 0003516C 16 push ss 0003516D 0017 add byte ptr [edi], dl 0003516F 000b add byte ptr [ebx], cl 00035171 136b21 adc ebp, dword ptr [ebx + 0x21] 00035174 2929 sub dword ptr [ecx], ebp 00035176 45 inc ebp 00035177 120c0b adc cl, byte ptr [ebx + ecx] 0003517A 0c0b or al, 0xb
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00000AD0 90 nop 00000AD1 90 nop 00000AD2 90 nop 00000AD3 90 nop 00000AD4 90 nop 00000AD5 90 nop 00000AD6 90 nop 00000AD7 90 nop 00000AD8 90 nop 00000AD9 90 nop 00000ADA 90 nop 00000ADB 90 nop 00000ADC 90 nop 00000ADD 90 nop 00000ADE 90 nop 00000ADF 90 nop 00000AE0 90 nop 00000AE1 90 nop 00000AE2 90 nop 00000AE3 90 nop 00000AE4 90 nop 00000AE5 90 nop 00000AE6 90 nop 00000AE7 90 nop 00000AE8 90 nop 00000AE9 90 nop 00000AEA 90 nop 00000AEB 90 nop 00000AEC 90 nop 00000AED 90 nop 00000AEE 90 nop 00000AEF 90 nop 00000AF0 90 nop 00000AF1 90 nop 00000AF2 90 nop 00000AF3 90 nop 00000AF4 90 nop 00000AF5 90 nop 00000AF6 90 nop 00000AF7 90 nop 00000AF8 90 nop 00000AF9 90 nop 00000AFA 90 nop 00000AFB 90 nop 00000AFC 90 nop 00000AFD 90 nop 00000AFE 90 nop 00000AFF 90 nop 00000B00 90 nop 00000B01 90 nop 00000B02 ebfe jmp 0xb02 00000B04 46 inc esi 00000B05 46 inc esi 00000B06 46 inc esi 00000B07 46 inc esi 00000B08 47 inc edi 00000B09 47 inc edi 00000B0A 47 inc edi 00000B0B 47 inc edi 00000B0C 48 dec eax 00000B0D 48 dec eax 00000B0E 48 dec eax 00000B0F 48 dec eax 00000B10 2000 and byte ptr [eax], al 00000B12 2000 and byte ptr [eax], al 00000B14 2000 and byte ptr [eax], al 00000B16 2000 and byte ptr [eax], al 00000B18 2000 and byte ptr [eax], al 00000B1A 2000 and byte ptr [eax], al 00000B1C 2000 and byte ptr [eax], al 00000B1E 2000 and byte ptr [eax], al 00000B20 2000 and byte ptr [eax], al 00000B22 2000 and byte ptr [eax], al 00000B24 2000 and byte ptr [eax], al 00000B26 2000 and byte ptr [eax], al 00000B28 2000 and byte ptr [eax], al 00000B2A 2000 and byte ptr [eax], al 00000B2C 2000 and byte ptr [eax], al 00000B2E 2000 and byte ptr [eax], al
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0001675F 64a130000000 mov eax, dword ptr fs:[0x30] 00016765 8b400c mov eax, dword ptr [eax + 0xc] 00016768 8b701c mov esi, dword ptr [eax + 0x1c] 0001676B ad lodsd eax, dword ptr [esi] 0001676C 8b5808 mov ebx, dword ptr [eax + 8] 0001676F 8b433c mov eax, dword ptr [ebx + 0x3c] 00016772 8b440378 mov eax, dword ptr [ebx + eax + 0x78] 00016776 03c3 add eax, ebx 00016778 894520 mov dword ptr [ebp + 0x20], eax 0001677B 8b4818 mov ecx, dword ptr [eax + 0x18] 0001677E 8b4020 mov eax, dword ptr [eax + 0x20] 00016781 03c3 add eax, ebx 00016783 894528 mov dword ptr [ebp + 0x28], eax 00016786 c7452400000000 mov dword ptr [ebp + 0x24], 0 0001678D c7450047657450 mov dword ptr [ebp], 0x50746547 00016794 c74504726f6341 mov dword ptr [ebp + 4], 0x41636f72 0001679B c7450864647265 mov dword ptr [ebp + 8], 0x65726464 000167A2 c7450c73730000 mov dword ptr [ebp + 0xc], 0x7373 000167A9 8bf5 mov esi, ebp 000167AB 56 push esi 000167AC 51 push ecx 000167AD 8b00 mov eax, dword ptr [eax] 000167AF 03c3 add eax, ebx 000167B1 8bf8 mov edi, eax 000167B3 b90e000000 mov ecx, 0xe 000167B8 f3a6 repe cmpsb byte ptr [esi], byte ptr es:[edi] 000167BA 7528 jne 0x167e4 000167BC 83c404 add esp, 4
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 227,264 bytes but its declared streams total only 94,695 bytes — 132,569 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00029200.exe |
embedded-pe | Office MZ+PE at offset 0x29200 | 58816 bytes |
SHA-256: 9846760c16a4204c0c4732a4658b520bcdf6204c8785f2c1452fd534f9afab67 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-62391
Obfuscation or payload:
likely
Carved artifact entropy is 7.59, consistent with packed or encrypted content.
|
|||
embedded_office_off00018200.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x18200 | 128448 bytes |
SHA-256: 69b2c6e916b41a1addc67bf52646915bad6dc78c7c77636dbea007ebb296ccf1 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-62391
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.