MALICIOUS
620
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is a malicious OLE document exploiting two known vulnerabilities (CVE-2007-3899 and CVE-2008-2244) to drop and execute a PE file. The heuristics indicate the use of process injection APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, along with mshta.exe, suggesting a payload execution attempt. The embedded PE executable is the primary indicator of malicious intent.
Heuristics 14
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002C991 e800000000 call 0x2c996 0002C996 5a pop edx 0002C997 85ce test esi, ecx 0002C999 f6d8 neg al 0002C99B 87d0 xchg eax, edx 0002C99D 8ac2 mov al, dl 0002C99F e800000000 call 0x2c9a4 0002C9A4 5a pop edx 0002C9A5 87d0 xchg eax, edx 0002C9A7 eb07 jmp 0x2c9b0 0002C9A9 ac lodsb al, byte ptr [esi] 0002C9AA 81aa77787d96f7c129e8 sub dword ptr [edx - 0x69828789], 0xe829c1f7 0002C9B4 4b dec ebx 0002C9B5 1089fae80000 adc byte ptr [ecx + 0xe8fa], cl 0002C9BB 0000 add byte ptr [eax], al 0002C9BD 5a pop edx 0002C9BE 0fc1d0 xadd eax, edx 0002C9C1 f6c6bb test dh, 0xbb 0002C9C4 0fc1d0 xadd eax, edx 0002C9C7 8d0d00a3ba9d lea ecx, [0x9dbaa300] 0002C9CD 31fa xor edx, edi 0002C9CF 0fc1d0 xadd eax, edx 0002C9D2 eb07 jmp 0x2c9db 0002C9D4 4c dec esp 0002C9D5 a14a97189d mov eax, dword ptr [0x9d18974a] 0002C9DA 360fc1d0 xadd eax, edx 0002C9DE 0fb7d7 movzx edx, di 0002C9E1 85ce test esi, ecx 0002C9E3 ba416147e3 mov edx, 0xe3476141 0002C9E8 c0e85b shr al, 0x5b 0002C9EB ffc2 inc edx 0002C9ED 8d .byte 0x8d 0002C9EE 0d .byte 0x0d 0002C9EF a0 .byte 0xa0 0002C9F0 e6 .byte 0xe6
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to mshta.exe high SC_STR_MSHTAReference to mshta.exe
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,302,330 bytes but its declared streams total only 18,208 bytes — 1,284,122 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 1123787 bytes |
SHA-256: 4ecce36b9bd29e0390cf047d873eeb268151de8e63b534455508c4b7ecd77f26 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx Static shellcode analysis recovered command string(s): mshta.exe�
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 1280301 bytes |
SHA-256: 59113594d1b0116c63abe72fd51096712fa412c9649771284781282560ddf208 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx Static shellcode analysis recovered command string(s): mshta.exe�
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.