MALICIOUS
880
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE executable. The embedded executable was detected by ClamAV as Win.Worm.Renamer-6809877-0. The heuristics indicate the use of APIs such as CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is designed to load and run malicious code.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Trojan.Generic-9955221-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Generic-9955221-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002C9B0 e800000000 call 0x2c9b5 0002C9B5 5a pop edx 0002C9B6 bac19dc8ca mov edx, 0xcac89dc1 0002C9BB 0fbeca movsx ecx, dl 0002C9BE eb01 jmp 0x2c9c1 0002C9C0 ce into 0002C9C1 e800000000 call 0x2c9c6 0002C9C6 5a pop edx 0002C9C7 eb01 jmp 0x2c9ca 0002C9C9 5e pop esi 0002C9CA 0fafd7 imul edx, edi 0002C9CD 31fa xor edx, edi 0002C9CF f6d8 neg al 0002C9D1 0fc1d0 xadd eax, edx 0002C9D4 ba3987f09e mov edx, 0x9ef08739 0002C9D9 8d0d00b649d7 lea ecx, [0xd749b600] 0002C9DF 0fafd7 imul edx, edi 0002C9E2 f6c6ab test dh, 0xab 0002C9E5 31fa xor edx, edi 0002C9E7 0fbeca movsx ecx, dl 0002C9EA 0fb7d7 movzx edx, di 0002C9ED 0fc1d0 xadd eax, edx 0002C9F0 8ac2 mov al, dl 0002C9F2 85ce test esi, ecx 0002C9F4 eb07 jmp 0x2c9fd 0002C9F6 f4 hlt 0002C9F7 e9b29f4065 jmp 0x654369ae 0002C9FC 1e push ds 0002C9FD 85ce test esi, ecx 0002C9FF 8ac2 mov al, dl 0002CA01 85ce test esi, ecx 0002CA03 0fbeca movsx ecx, dl 0002CA06 e800000000 call 0x2ca0b 0002CA0B 5a pop edx 0002CA0C 31fa xor edx, edi 0002CA0E c0 .byte 0xc0 0002CA0F e8 .byte 0xe8
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,470,287 bytes but its declared streams total only 18,208 bytes — 1,452,079 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 1291744 bytes |
SHA-256: 9c00079685104813a2bbc5fc9042f6b2791fa97ec8aed2beddba4c58aef11e66 |
|||
|
Detection
ClamAV:
Win.Trojan.Generic-9955221-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessA, GetProcAddress, LoadLibraryA, CreateFileW, WriteProcessMemory, CreateProcessW
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 1448258 bytes |
SHA-256: 698b2df61a56492b1f353cfeb8e9676d4470ba44efe0cde57fca7f01ab12ba7f |
|||
|
Detection
ClamAV:
Win.Trojan.Generic-9955221-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessA, GetProcAddress, LoadLibraryA, CreateFileW, WriteProcessMemory, CreateProcessW
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.