MALICIOUS
560
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a malicious OLE document that leverages two critical vulnerabilities, CVE-2007-3899 and CVE-2008-2244, to embed and execute a PE file. The embedded executable is likely a second-stage payload, indicated by the presence of shellcode API strings such as CreateProcess, LoadLibrary, and GetProcAddress. The document body content appears to be unrelated news, suggesting a lure.
Heuristics 12
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00064C8A 90 nop 00064C8B 90 nop 00064C8C 90 nop 00064C8D 90 nop 00064C8E 90 nop 00064C8F 90 nop 00064C90 90 nop 00064C91 90 nop 00064C92 90 nop 00064C93 90 nop 00064C94 90 nop 00064C95 90 nop 00064C96 90 nop 00064C97 90 nop 00064C98 90 nop 00064C99 90 nop 00064C9A 90 nop 00064C9B 90 nop 00064C9C 90 nop 00064C9D 90 nop 00064C9E 90 nop 00064C9F 90 nop 00064CA0 90 nop 00064CA1 90 nop 00064CA2 90 nop 00064CA3 90 nop 00064CA4 90 nop 00064CA5 90 nop 00064CA6 90 nop 00064CA7 90 nop 00064CA8 90 nop 00064CA9 90 nop 00064CAA 90 nop 00064CAB 90 nop 00064CAC 90 nop 00064CAD 90 nop 00064CAE 90 nop 00064CAF 90 nop 00064CB0 90 nop 00064CB1 90 nop 00064CB2 90 nop 00064CB3 90 nop 00064CB4 90 nop 00064CB5 90 nop 00064CB6 90 nop 00064CB7 90 nop 00064CB8 90 nop 00064CB9 90 nop 00064CBA 90 nop 00064CBB 90 nop 00064CBC 90 nop 00064CBD 90 nop 00064CBE 90 nop 00064CBF 90 nop 00064CC0 90 nop 00064CC1 90 nop 00064CC2 90 nop 00064CC3 90 nop 00064CC4 90 nop 00064CC5 90 nop 00064CC6 90 nop 00064CC7 90 nop 00064CC8 90 nop 00064CC9 90 nop 00064CCA 90 nop 00064CCB 90 nop 00064CCC 90 nop 00064CCD 90 nop 00064CCE 90 nop 00064CCF 90 nop 00064CD0 90 nop 00064CD1 90 nop 00064CD2 90 nop 00064CD3 90 nop 00064CD4 90 nop 00064CD5 90 nop 00064CD6 90 nop 00064CD7 90 nop 00064CD8 90 nop 00064CD9 90 nop 00064CDA 90 nop 00064CDB 90 nop 00064CDC 90 nop 00064CDD 90 nop 00064CDE 90 nop 00064CDF 90 nop 00064CE0 90 nop 00064CE1 90 nop 00064CE2 90 nop 00064CE3 90 nop 00064CE4 90 nop 00064CE5 90 nop 00064CE6 90 nop 00064CE7 90 nop 00064CE8 90 nop 00064CE9 90 nop
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00064012 e800000000 call 0x64017 00064017 58 pop eax 00064018 0fbfd2 movsx edx, dx 0006401B 0fc1c8 xadd eax, ecx 0006401E e802000000 call 0x64025 00064023 90 nop 00064024 90 nop 00064025 58 pop eax 00064026 1bc0 sbb eax, eax 00064028 b8ad192389 mov eax, 0x892319ad 0006402D 87c0 xchg eax, eax 0006402F 0fc1c1 xadd ecx, eax 00064032 0fc1c2 xadd edx, eax 00064035 85ea test edx, ebp 00064037 87d2 xchg edx, edx 00064039 87d1 xchg ecx, edx 0006403B e802000000 call 0x64042 00064040 90 nop 00064041 90 nop 00064042 59 pop ecx 00064043 3d7498b89f cmp eax, 0x9fb89874 00064048 f7c024f50c51 test eax, 0x510cf524 0006404E 8d15d425f36a lea edx, [0x6af325d4] 00064054 4a dec edx 00064055 21e8 and eax, ebp 00064057 0fafc8 imul ecx, eax 0006405A f7c109c6a7cf test ecx, 0xcfa7c609 00064060 e802000000 call 0x64067 00064065 90 nop 00064066 90 nop 00064067 5a pop edx 00064068 69cf409319a7 imul ecx, edi, 0xa7199340 0006406E c3 ret 0006406F 0000 add byte ptr [eax], al 00064071 00 .byte 0x00
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 631,251 bytes but its declared streams total only 18,208 bytes — 613,043 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 452708 bytes |
SHA-256: c823cd2bd4fd4000e3585ccebc98812746364c17e635c91fc77e3809409066f9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEREMOTETHREAD, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateRemoteThread, GetProcAddress, LoadLibraryA, CreateProcessW
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 609222 bytes |
SHA-256: 881fbbfedbb61980b9dcfbd418547153f173716c7484a208c8b1b67ec07283ff |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEREMOTETHREAD, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateRemoteThread, GetProcAddress, LoadLibraryA, CreateProcessW
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.