Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67d92d2b298e5f59…

MALICIOUS

Office (OLE)

326.1 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2015-10-13
MD5: bef6dec2ca08528b32c64ce29029cf58 SHA-1: 91b8357122f27e3f49695c19f09b76a9ec99d740 SHA-256: 67d92d2b298e5f599f76e4231e4fe38f7e92370468c9963e736e9d8e78468984
420 Risk Score

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload (in carved embedded Office document) critical CVE likely CVE_2008_2244
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
    Disassembly
    x86 disassembly · validity: code (0.756) — 5/9 branch targets land on an instruction boundary (56% coherence)
    0002C987  e800000000        call 0x2c98c
0002C98C  5a                pop edx
0002C98D  ffc2              inc edx
0002C98F  8ac2              mov al, dl
0002C991  ffc2              inc edx
0002C993  eb07              jmp 0x2c99c
0002C995  6c                insb byte ptr es:[edi], dx
0002C996  41                inc ecx
0002C997  6a37              push 0x37
0002C999  383d5631faf6      cmp byte ptr [0xf6fa3156], bh
0002C99F  c6                .byte 0xc6
0002C9A0  a385ce8d0d        mov dword ptr [0xd8dce85], eax
0002C9A5  a882              test al, 0x82
0002C9A7  2a21              sub ah, byte ptr [ecx]
0002C9A9  ffc2              inc edx
0002C9AB  0fbeca            movsx ecx, dl
0002C9AE  89fa              mov edx, edi
0002C9B0  ffc2              inc edx
0002C9B2  8d0d20de0a3d      lea ecx, [0x3d0ade20]
0002C9B8  0fafd7            imul edx, edi
0002C9BB  2ccb              sub al, 0xcb
0002C9BD  0fc1d0            xadd eax, edx
0002C9C0  0fbeca            movsx ecx, dl
0002C9C3  d1f2              sal edx, 1
0002C9C5  8d15c930d271      lea edx, [0x71d230c9]
0002C9CB  31fa              xor edx, edi
0002C9CD  c0e84b            shr al, 0x4b
0002C9D0  0fc1d0            xadd eax, edx
0002C9D3  0fc0c1            xadd cl, al
0002C9D6  85ce              test esi, ecx
0002C9D8  f6c63b            test dh, 0x3b
0002C9DB  e800000000        call 0x2c9e0
0002C9E0  5a                pop edx
0002C9E1  0fc1d0            xadd eax, edx
0002C9E4  2cfb              sub al, 0xfb
0002C9E6  85                .byte 0x85
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 333,967 bytes but its declared streams total only 18,208 bytes — 315,759 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 155424 bytes
SHA-256: 936a7cf88f1085980e97e9f31badd19d71c9932d2498da58dfb6d205839b6aaa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 311938 bytes
SHA-256: 59a522e762a720b01e34d891a2168688a85c0b1168679eaa08b7269113fa62f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA

Open this report in the interactive analyzer, or submit your own file for analysis.