Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 68e411bc7f56ca0d…

MALICIOUS

Office (OLE) / .DOC

116.2 KB
MD5: 8e67a9c3383aaa8d7f3e9d82efbda915 SHA-1: 001b76d5f1d40090df4b0c3508ad95369a713e8f SHA-256: 68e411bc7f56ca0dbee65e76b863b81590d2d1fd880dc2447277de3b9cbaf03d
844 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document that exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word. It contains an embedded PE executable and references suspicious APIs like CreateProcess, ShellExecute, and WriteProcessMemory, indicating it likely attempts to execute the embedded payload. The document also contains lures to trick users into running commands, further supporting the malicious intent.

Heuristics 22

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Word 6/95 legacy binary with executable payload high CVE related WORD6_LEGACY_BINARY_PAYLOAD
    File uses the legacy Word 6/95 binary format and carries executable payload markers. This is a legacy converter attack surface and is MS09-024/CVE-2009-1136-family evidence, but the malformed converter record is not proven statically.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (FileOpenError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%s:%d/PUT[%s]/FC001/%s
    • http://%s:%d/FC001/%s
    • http://www.microsoft.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00001000.exe
21d6c30f5444407c53769c703b5664cdd289b291ea836f669b9ea39f9d053167		 embedded-pe Office MZ+PE at offset 0x1000 114848 bytes
Detection
ClamAV: Win.Trojan.Agent-117678
Obfuscation or payload: unlikely
embedded_office_off00017000.ole
787fbc0c47ac57bcf2ff5dcfde3fdbe60b4cb8d234cca9e9657dd72b1779730c		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x17000 24736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.