MALICIOUS
562
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
T1105 Ingress Tool Transfer
The sample is a Microsoft Word document that exploits two critical vulnerabilities (CVE-2007-3899 and CVE-2008-2244) to embed and execute a PE file. The embedded executable was detected by ClamAV as Win.Malware.Virlock-6913537-0. The document body contains seemingly unrelated text, suggesting it is a lure, while the underlying structure is designed for exploitation.
Heuristics 12
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Virlock-6913537-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Virlock-6913537-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002CC72 e800000000 call 0x2cc77 0002CC77 5a pop edx 0002CC78 ffc2 inc edx 0002CC7A 0fc0c1 xadd cl, al 0002CC7D e800000000 call 0x2cc82 0002CC82 5a pop edx 0002CC83 f7d2 not edx 0002CC85 0fafd7 imul edx, edi 0002CC88 0fbeca movsx ecx, dl 0002CC8B d1f2 sal edx, 1 0002CC8D 0fafd1 imul edx, ecx 0002CC90 f6d8 neg al 0002CC92 bab983e049 mov edx, 0x49e083b9 0002CC97 69c88060c309 imul ecx, eax, 0x9c36080 0002CC9D 8d15d1abaefa lea edx, [0xfaaeabd1] 0002CCA3 85ce test esi, ecx 0002CCA5 eb07 jmp 0x2ccae 0002CCA7 21ca and edx, ecx 0002CCA9 17 pop ss 0002CCAA 98 cwde 0002CCAB 1db6b3e800 sbb eax, 0xe8b3b6 0002CCB0 0000 add byte ptr [eax], al 0002CCB2 005a85 add byte ptr [edx - 0x7b], bl 0002CCB5 ce into 0002CCB6 86c1 xchg cl, al 0002CCB8 0fc1d0 xadd eax, edx 0002CCBB 2cc3 sub al, 0xc3 0002CCBD 31fa xor edx, edi 0002CCBF 8ac2 mov al, dl 0002CCC1 0fafd7 imul edx, edi 0002CCC4 f6c6b3 test dh, 0xb3 0002CCC7 e800000000 call 0x2cccc 0002CCCC 5a pop edx 0002CCCD c3 ret 0002CCCE 0000 add byte ptr [eax], al 0002CCD0 0000 add byte ptr [eax], al
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 468,141 bytes but its declared streams total only 18,208 bytes — 449,933 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upx.tsx.org In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 289598 bytes |
SHA-256: 54b15dabe964cf7af08ef958dc1874eec2cef9b335c2b91a69a4d7198d2eedde |
|||
|
Detection
ClamAV:
Win.Malware.Virlock-6913537-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateFileW, VirtualAlloc
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 446112 bytes |
SHA-256: c456e0518cc5c7d2d90637be8fcb1623f498878aa49f7d1fd969e2704743917b |
|||
|
Detection
ClamAV:
Win.Malware.Virlock-6913537-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, CreateFileW, VirtualAlloc
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.