Win.Malware.Razy-9886340-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 82eccce80b324289…

MALICIOUS

Office (OLE)

745.5 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: c517d8b94bfbd28efd3d1efc7ce75a30 SHA-1: 8566a367a7d01888a7e096df3a2f9e8327801cbb SHA-256: 82eccce80b324289aaab2d468d024d144cd2fb2c2f49f93286a3eeb50664a0bb
922 Risk Score

Malware Insights

Win.Malware.Razy-9886340-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a malicious OLE document exploiting CVE-2007-3899 and CVE-2008-2244, which are known to facilitate the execution of embedded payloads. It contains an embedded PE executable and references APIs like CreateProcess, WinExec, and WriteProcessMemory, indicating its intent to run malicious code. The ClamAV detection of Win.Malware.Razy-9886340-0 further supports its malicious nature.

Heuristics 20

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Razy-9886340-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
    Disassembly
    Attempted x86 opcode disassembly
    0002C987  e800000000        call 0x2c98c
0002C98C  5a                pop edx
0002C98D  ffc2              inc edx
0002C98F  8ac2              mov al, dl
0002C991  ffc2              inc edx
0002C993  eb07              jmp 0x2c99c
0002C995  6c                insb byte ptr es:[edi], dx
0002C996  41                inc ecx
0002C997  6a37              push 0x37
0002C999  383d5631faf6      cmp byte ptr [0xf6fa3156], bh
0002C99F  c6                .byte 0xc6
0002C9A0  a385ce8d0d        mov dword ptr [0xd8dce85], eax
0002C9A5  a882              test al, 0x82
0002C9A7  2a21              sub ah, byte ptr [ecx]
0002C9A9  ffc2              inc edx
0002C9AB  0fbeca            movsx ecx, dl
0002C9AE  89fa              mov edx, edi
0002C9B0  ffc2              inc edx
0002C9B2  8d0d20de0a3d      lea ecx, [0x3d0ade20]
0002C9B8  0fafd7            imul edx, edi
0002C9BB  2ccb              sub al, 0xcb
0002C9BD  0fc1d0            xadd eax, edx
0002C9C0  0fbeca            movsx ecx, dl
0002C9C3  d1f2              sal edx, 1
0002C9C5  8d15c930d271      lea edx, [0x71d230c9]
0002C9CB  31fa              xor edx, edi
0002C9CD  c0e84b            shr al, 0x4b
0002C9D0  0fc1d0            xadd eax, edx
0002C9D3  0fc0c1            xadd cl, al
0002C9D6  85ce              test esi, ecx
0002C9D8  f6c63b            test dh, 0x3b
0002C9DB  e800000000        call 0x2c9e0
0002C9E0  5a                pop edx
0002C9E1  0fc1d0            xadd eax, edx
0002C9E4  2cfb              sub al, 0xfb
0002C9E6  85                .byte 0x85
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 763,443 bytes but its declared streams total only 18,208 bytes — 745,235 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://microsoft.com0 In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 584900 bytes
SHA-256: 61ce84aa37975b0d2677e75c7515a7acadcca0b5d8cfff0a769b933563bf657a
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateRemoteThread, VirtualAlloc, VirtualAllocEx, VirtualProtect
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 741414 bytes
SHA-256: 3e8c74bd52523889cb92ea84ca0e5a7c23cc7d5808ab905cf717717d3a975b58
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateRemoteThread, VirtualAlloc, VirtualAllocEx, VirtualProtect

Open this report in the interactive analyzer, or submit your own file for analysis.