Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90f17840ec921ea2…

MALICIOUS

Office (OLE)

96.0 KB Created: 2012-01-31 14:40:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 99535594fa06b071deeb7a0a15953d65 SHA-1: 9d6eb96e0019f3044ff272e3b7628d4de0519822 SHA-256: 90f17840ec921ea2a63e060e0eeece5efb4512a754792aa7ff1c37f895ef05ce
400 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document that leverages CVE-2008-2244 to embed a PE executable. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is designed to be loaded and run. ClamAV detections confirm the malicious nature of both the document and the embedded artifact, identifying it as a dropper.

Heuristics 7

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Dropper.Agent-6546988-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6546988-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 98,304 bytes but its declared streams total only 24,445 bytes — 73,859 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006e00.exe embedded-pe Office MZ+PE at offset 0x6E00 70144 bytes
SHA-256: 002b6b9af74e565bf92c68713a0397677a246cdc4841a4e3e3ad60a9d31f7404
Detection
ClamAV: Win.Trojan.Agent-1266464
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.