Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 82aefa601466e3f9…

MALICIOUS

Office (OLE) / .DOC

91.0 KB Created: 2008-09-04 01:27:16 Authoring application: Microsoft Office Word
MD5: bbcf9242e5ca64a2ed8b49ec89da8cd1 SHA-1: 188585c4ec000e70f7d67ed008a7a46403f1af2b SHA-256: 82aefa601466e3f9fb1e956dae08aa5356b8e62d85e9da793b2559ec1993eba7
340 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains an embedded executable. It exploits CVE-2008-2244, a known vulnerability in Microsoft Word's record-parsing, to achieve code execution. The embedded executable is then run, likely to download and execute a second-stage payload.

Heuristics 8

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 93,184 bytes but its declared streams total only 34,365 bytes — 58,819 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000bc00.exe
5093932c7ff76105a6634565081bd80e28019df4cd893e5a172f067e96d0dbea		 embedded-pe Office MZ+PE at offset 0xBC00 45056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.