Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c2130870160daac…

MALICIOUS

Office (OLE)

503.1 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: d3d08b68a5f2fe21cd6b9aece7086b1c SHA-1: ddbecd307156819b857528a5fcc3855a017f8fe9 SHA-256: 6c2130870160daac7f43278561d208385ac23b6c3bf9a742f595d6350e228fa0
700 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is a malicious Microsoft Word document exploiting known vulnerabilities (CVE-2007-3899, CVE-2008-2244) to embed and execute a PE file. Heuristics indicate the use of APIs like CreateProcess, VirtualProtect, and WriteProcessMemory, suggesting the embedded executable is designed for malicious actions such as downloading and running further payloads. The document body contains unrelated news content, indicating a lure.

Heuristics 14

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Razy-9886340-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
    Disassembly
    Attempted x86 opcode disassembly
    0002C9BE  e800000000        call 0x2c9c3
    0002C9C3  5a                pop edx
    0002C9C4  e800000000        call 0x2c9c9
    0002C9C9  5a                pop edx
    0002C9CA  e800000000        call 0x2c9cf
    0002C9CF  5a                pop edx
    0002C9D0  31fa              xor edx, edi
    0002C9D2  2cb3              sub al, 0xb3
    0002C9D4  0fc1d0            xadd eax, edx
    0002C9D7  84f5              test ch, dh
    0002C9D9  81f2e9f91f49      xor edx, 0x491ff9e9
    0002C9DF  31fa              xor edx, edi
    0002C9E1  69c8f83d2162      imul ecx, eax, 0x62213df8
    0002C9E7  e800000000        call 0x2c9ec
    0002C9EC  5a                pop edx
    0002C9ED  0fafd1            imul edx, ecx
    0002C9F0  f6c6ab            test dh, 0xab
    0002C9F3  0fc1d0            xadd eax, edx
    0002C9F6  0fbeca            movsx ecx, dl
    0002C9F9  87d0              xchg eax, edx
    0002C9FB  0fbeca            movsx ecx, dl
    0002C9FE  ffc2              inc edx
    0002CA00  c0e813            shr al, 0x13
    0002CA03  bab1b66077        mov edx, 0x7760b6b1
    0002CA08  c0e88b            shr al, 0x8b
    0002CA0B  0fc1d0            xadd eax, edx
    0002CA0E  0fbeca            movsx ecx, dl
    0002CA11  ffc2              inc edx
    0002CA13  8d0d088888ab      lea ecx, [0xab888808]
    0002CA19  eb01              jmp 0x2ca1c
    0002CA1B  6e                outsb dx, byte ptr [esi]
    0002CA1C  0f                .byte 0x0f
    0002CA1D  af                scasd eax, dword ptr es:[edi]
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 515,162 bytes but its declared streams total only 18,208 bytes — 496,954 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 336619 bytes
SHA-256: b490053e258249adf9bce6c8e3c1b8426fc60e03731c25b6aa2e8829971649bb
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualProtect, WriteProcessMemory
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 493133 bytes
SHA-256: e761553b8e093292e35f8a6602b783f42e9d7e9a1f7b3ac273f2c35eb1586fa9
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualProtect, WriteProcessMemory