Office (OLE) malware analysis — malicious · 9e4808e74223dc2d

MALICIOUS

Office (OLE)

235.0 KB First seen: 2019-06-27

MD5: 67878affd6c6be50329f3556d68b6878 SHA-1: afef82f3599d1e384fbbd3907debda55973cbfa3 SHA-256: 9e4808e74223dc2dd238854c36d96e078bdfd5cccb9a62b36920ff2755417bab

108 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document that leverages the CVE-2007-3899 vulnerability, a known memory corruption flaw. The presence of VirtualAlloc API calls and the AutoOpen macro marker strongly suggest that the exploit is designed to allocate memory and execute shellcode. While no direct download URL or second-stage script was extracted, the exploit's nature points towards a downloader or dropper functionality.

Heuristics 4

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 346 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	346 bytes
SHA-256: `d8d6aa9142b7c524ecac8bd46c4c0a184757ecd963013bdb1bed432d0535218b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "tetracycline" Attribute VB_Base = "0{B37FF45F-C671-4713-A11F-F0913CCE5B5D}{FDFD2B12-39F1-41E6-BC62-956D9D337837}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: d8d6aa9142b7c524ecac8bd46c4c0a184757ecd963013bdb1bed432d0535218b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "tetracycline"
Attribute VB_Base = "0{B37FF45F-C671-4713-A11F-F0913CCE5B5D}{FDFD2B12-39F1-41E6-BC62-956D9D337837}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.