Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67d4a4a55be0b2e0…

MALICIOUS

Office (OLE)

142.8 KB
MD5: d3399664d5e132b555487dbca64aeb9b SHA-1: a08f79dbc5ac172cb0c5f9034fdd13fbc98c211c SHA-256: 67d4a4a55be0b2e0306342fb14a8bdd1a5a9d5a3fa043751b49283903a960f8e
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Office document that contains an embedded PE executable. The critical heuristic CVE_2008_2244 indicates exploitation of a Microsoft Word record-parsing vulnerability, which is used to execute the embedded PE file. The document body contains Chinese text related to testing file construction and embedding Excel and PowerPoint objects, suggesting a lure for users to open the document.

Heuristics 6

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 146,180 bytes but its declared streams total only 31,351 bytes — 114,829 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015000.exe
5c6ca5a9116b36a560fbaf601f322a3baca53d4be24cc3bf4a68369fc51d988c		 embedded-pe Office MZ+PE at offset 0x15000 60164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.