MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.001 PowerShell
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to achieve code execution. It then uses a constructed command line that invokes cmd.exe to run PowerShell, which downloads and executes a script from http://evilserver.ninja/pp.ps1. This indicates a downloader or dropper functionality.
Heuristics 5
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly00000A1F 07 pop es 00000A20 07 pop es 00000A21 07 pop es 00000A22 07 pop es 00000A23 07 pop es 00000A24 07 pop es 00000A25 07 pop es 00000A26 07 pop es 00000A27 07 pop es 00000A28 07 pop es 00000A29 07 pop es 00000A2A 07 pop es 00000A2B 07 pop es 00000A2C 07 pop es 00000A2D 07 pop es 00000A2E 07 pop es 00000A2F 07 pop es 00000A30 07 pop es 00000A31 07 pop es 00000A32 07 pop es 00000A33 07 pop es 00000A34 07 pop es 00000A35 07 pop es 00000A36 07 pop es 00000A37 07 pop es 00000A38 07 pop es 00000A39 07 pop es 00000A3A 07 pop es 00000A3B 07 pop es 00000A3C 07 pop es 00000A3D 07 pop es 00000A3E 07 pop es 00000A3F 07 pop es 00000A40 07 pop es 00000A41 07 pop es 00000A42 07 pop es 00000A43 07 pop es 00000A44 07 pop es 00000A45 07 pop es 00000A46 07 pop es 00000A47 07 pop es 00000A48 07 pop es 00000A49 07 pop es 00000A4A 07 pop es 00000A4B 07 pop es 00000A4C 07 pop es 00000A4D 07 pop es 00000A4E 07 pop es 00000A4F 07 pop es 00000A50 07 pop es 00000A51 07 pop es 00000A52 07 pop es 00000A53 07 pop es 00000A54 07 pop es 00000A55 07 pop es 00000A56 07 pop es 00000A57 07 pop es 00000A58 07 pop es 00000A59 07 pop es 00000A5A 07 pop es 00000A5B 07 pop es 00000A5C 07 pop es 00000A5D 07 pop es 00000A5E 07 pop es 00000A5F 07 pop es 00000A60 07 pop es 00000A61 07 pop es 00000A62 07 pop es 00000A63 07 pop es 00000A64 07 pop es 00000A65 07 pop es 00000A66 07 pop es 00000A67 07 pop es 00000A68 07 pop es 00000A69 07 pop es 00000A6A 07 pop es 00000A6B 07 pop es 00000A6C 07 pop es 00000A6D 07 pop es 00000A6E 07 pop es 00000A6F 07 pop es 00000A70 07 pop es 00000A71 07 pop es 00000A72 07 pop es 00000A73 07 pop es 00000A74 07 pop es 00000A75 07 pop es 00000A76 07 pop es 00000A77 07 pop es 00000A78 07 pop es 00000A79 07 pop es 00000A7A 07 pop es 00000A7B 07 pop es 00000A7C 07 pop es 00000A7D 07 pop es 00000A7E 07 pop es
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://evilserver.ninja/pp.ps1 In document text (OLE body)
- http://www.dacostabalboa.com/yoniIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.