MALICIOUS
342
Risk Score
Heuristics 9
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: uncertain (0.632) — 4/7 branch targets land on an instruction boundary (57% coherence)00001BA5 648b1530000000 mov edx, dword ptr fs:[0x30] 00001BAC e9df020000 jmp 0x1e90 00001BB1 8f85c4feffff pop dword ptr [ebp - 0x13c] 00001BB7 8b420c mov eax, dword ptr [edx + 0xc] 00001BBA 8b701c mov esi, dword ptr [eax + 0x1c] 00001BBD ad lodsd eax, dword ptr [esi] 00001BBE 8b7808 mov edi, dword ptr [eax + 8] 00001BC1 89bdccfeffff mov dword ptr [ebp - 0x134], edi 00001BC7 8b473c mov eax, dword ptr [edi + 0x3c] 00001BCA 8b540778 mov edx, dword ptr [edi + eax + 0x78] 00001BCE 03d7 add edx, edi 00001BD0 8b5a20 mov ebx, dword ptr [edx + 0x20] 00001BD3 03df add ebx, edi 00001BD5 33c9 xor ecx, ecx 00001BD7 41 inc ecx 00001BD8 8b348b mov esi, dword ptr [ebx + ecx*4] 00001BDB 03f7 add esi, edi 00001BDD b847657450 mov eax, 0x50746547 00001BE2 3b06 cmp eax, dword ptr [esi] 00001BE4 75f1 jne 0x1bd7 00001BE6 b8726f6341 mov eax, 0x41636f72 00001BEB 3b4604 cmp eax, dword ptr [esi + 4] 00001BEE 75e7 jne 0x1bd7 00001BF0 8b5a24 mov ebx, dword ptr [edx + 0x24] 00001BF3 03df add ebx, edi 00001BF5 668b0c4b mov cx, word ptr [ebx + ecx*2] 00001BF9 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00001BFC 03df add ebx, edi 00001BFE 8b048b mov eax, dword ptr [ebx + ecx*4] 00001C01 03c7 add eax, edi 00001C03 89 .byte 0x89 00001C04 85 .byte 0x85
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 46,150 bytes but its declared streams total only 12,381 bytes — 33,769 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00006000.exe |
embedded-pe | Office MZ+PE at offset 0x6000 | 21574 bytes |
SHA-256: 0a9c99e72d8eb0277618f52ca3b272bc839a2f360eb02ee9c4e613f5b0cad85c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.