MALICIOUS
700
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.001 PowerShell
The sample is a malicious Microsoft Word document exploiting known vulnerabilities (CVE-2007-3899, CVE-2008-2244) to embed and execute a PE file. Heuristics indicate the use of APIs like CreateProcess, VirtualProtect, and WriteProcessMemory, suggesting the embedded executable is designed for malicious actions such as downloading and running further payloads. The document body contains unrelated news content, indicating a lure.
Heuristics 14
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Razy-9886340-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002C9BE e800000000 call 0x2c9c3 0002C9C3 5a pop edx 0002C9C4 e800000000 call 0x2c9c9 0002C9C9 5a pop edx 0002C9CA e800000000 call 0x2c9cf 0002C9CF 5a pop edx 0002C9D0 31fa xor edx, edi 0002C9D2 2cb3 sub al, 0xb3 0002C9D4 0fc1d0 xadd eax, edx 0002C9D7 84f5 test ch, dh 0002C9D9 81f2e9f91f49 xor edx, 0x491ff9e9 0002C9DF 31fa xor edx, edi 0002C9E1 69c8f83d2162 imul ecx, eax, 0x62213df8 0002C9E7 e800000000 call 0x2c9ec 0002C9EC 5a pop edx 0002C9ED 0fafd1 imul edx, ecx 0002C9F0 f6c6ab test dh, 0xab 0002C9F3 0fc1d0 xadd eax, edx 0002C9F6 0fbeca movsx ecx, dl 0002C9F9 87d0 xchg eax, edx 0002C9FB 0fbeca movsx ecx, dl 0002C9FE ffc2 inc edx 0002CA00 c0e813 shr al, 0x13 0002CA03 bab1b66077 mov edx, 0x7760b6b1 0002CA08 c0e88b shr al, 0x8b 0002CA0B 0fc1d0 xadd eax, edx 0002CA0E 0fbeca movsx ecx, dl 0002CA11 ffc2 inc edx 0002CA13 8d0d088888ab lea ecx, [0xab888808] 0002CA19 eb01 jmp 0x2ca1c 0002CA1B 6e outsb dx, byte ptr [esi] 0002CA1C 0f .byte 0x0f 0002CA1D af scasd eax, dword ptr es:[edi]
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 515,162 bytes but its declared streams total only 18,208 bytes — 496,954 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 336619 bytes |
SHA-256: b490053e258249adf9bce6c8e3c1b8426fc60e03731c25b6aa2e8829971649bb |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualProtect, WriteProcessMemory
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 493133 bytes |
SHA-256: e761553b8e093292e35f8a6602b783f42e9d7e9a1f7b3ac273f2c35eb1586fa9 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualProtect, WriteProcessMemory
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.