Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c41cefd19c6bda1…

MALICIOUS

Office (OLE)

151.3 KB
MD5: 972d8975b7ccb2e524aece2621a02666 SHA-1: c2eeef21580bde893edff7df42902824bca26eba SHA-256: 7c41cefd19c6bda11e11d8334cc79bbe44392389e2d1ebc5bf05d58f2029eb6a
300 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Office document that contains an embedded PE executable. It exploits CVE-2008-2244, a vulnerability in Microsoft Word's record-parsing, to achieve code execution. The embedded executable is the primary payload, and its presence is a critical finding.

Heuristics 7

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 154,884 bytes but its declared streams total only 31,351 bytes — 123,533 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015800.exe
18c7b709e540d5876e1292f14977aa898635074b4d1cee27323b39d9c10bdb14		 embedded-pe Office MZ+PE at offset 0x15800 66820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.