MALICIOUS
680
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is a Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE executable. Heuristics indicate Metasploit reverse shellcode and the use of WinExec, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is designed to establish a reverse shell. The document body contains unrelated news content, indicating it is likely a lure.
Heuristics 14
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Trojan.Agent-36081 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-36081
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
Disassembly
Attempted x86 opcode disassembly0007EA6E fc cld 0007EA6F e882000000 call 0x7eaf6 0007EA74 5f pop edi 0007EA75 5e pop esi 0007EA76 5b pop ebx 0007EA77 8be5 mov esp, ebp 0007EA79 5d pop ebp 0007EA7A c3 ret 0007EA7B 8d4000 lea eax, [eax] 0007EA7E 53 push ebx 0007EA7F 56 push esi 0007EA80 8bd8 mov ebx, eax 0007EA82 3b5324 cmp edx, dword ptr [ebx + 0x24] 0007EA85 7436 je 0x7eabd 0007EA87 8bf2 mov esi, edx 0007EA89 85f6 test esi, esi 0007EA8B 7518 jne 0x7eaa5 0007EA8D 33c0 xor eax, eax 0007EA8F 8a4318 mov al, byte ptr [ebx + 0x18] 0007EA92 8b0485c06c4500 mov eax, dword ptr [eax*4 + 0x456cc0] 0007EA99 50 push eax 0007EA9A a1f86e4500 mov eax, dword ptr [0x456ef8] 0007EA9F 8b00 mov eax, dword ptr [eax] 0007EAA1 ffd0 call eax 0007EAA3 8bd0 mov edx, eax 0007EAA5 895324 mov dword ptr [ebx + 0x24], edx 0007EAA8 c6434401 mov byte ptr [ebx + 0x44], 1 0007EAAC 8b4304 mov eax, dword ptr [ebx + 4] 0007EAAF e8ba060000 call 0x7f16e 0007EAB4 85f6 test esi, esi 0007EAB6 7505 jne 0x7eabd 0007EAB8 33c0 xor eax, eax 0007EABA 894324 mov dword ptr [ebx + 0x24], eax 0007EABD 5e pop esi 0007EABE 5b pop ebx 0007EABF c3 ret 0007EAC0 8bc0 mov eax, eax 0007EAC2 3b5028 cmp edx, dword ptr [eax + 0x28] 0007EAC5 7413 je 0x7eada 0007EAC7 895028 mov dword ptr [eax + 0x28], edx 0007EACA c6402c00 mov byte ptr [eax + 0x2c], 0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 911,009 bytes but its declared streams total only 18,208 bytes — 892,801 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0003694a.exe |
embedded-pe | Office MZ+PE at offset 0x3694A | 687447 bytes |
SHA-256: cb74a2150f949d3659a1b6a7c5e7cfef30cc21b17eb174d15acae7a1538d8d50 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-36081
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_WINEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryA, VirtualAlloc, GetProcAddress, version.dll, VirtualProtect, ExitProcess
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 888980 bytes |
SHA-256: e8e1436d99d42eab245f4eda41ec0bdf6c976e6927a44ac12efa4ecf17efb3ee |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-36081
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_WINEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryA, VirtualAlloc, GetProcAddress, version.dll, VirtualProtect, ExitProcess
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.