MALICIOUS
662
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.003 Windows Command Shell
The sample exploits CVE-2006-0022 in Microsoft PowerPoint, a known vulnerability for client execution. It embeds and extracts a PE executable, identified by ClamAV as Win.Trojan.Exploit-110. The heuristics indicate the use of APIs like CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is designed to execute malicious code. The presence of 'CMD.EXE' in the document text further supports the execution of commands.
Heuristics 15
-
CVE-2006-0022 — PowerPoint malformed picture-record payload critical CVE likely CVE_2006_0022PowerPoint OLE file contains a malformed large Pictures stream that cannot be read through the declared CFB chain, while the contiguous stream bytes contain image material and a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit fixed as CVE-2006-0022.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Exploit-110
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00004d31.exe3414a431ad6089ea1cc36f64d5540b9622d1133e7d84318f5133c18878a45efd |
embedded-pe | Office MZ+PE at offset 0x4D31 | 611535 bytes |
|
Detection
ClamAV:
Win.Trojan.Exploit-110
Obfuscation or payload:
likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.