Office (OLE) / .DOC malware analysis — malicious · a035a5e00349b676

MALICIOUS

Office (OLE) / .DOC

238.0 KB Created: 2008-01-02 09:44:00 Authoring application: Microsoft Office Word

MD5: 85e33f862c6ee241bec477a87abafa24 SHA-1: f14d3fe38f0b16acb4aa0310ae7ae1b0f3b36a85 SHA-256: a035a5e00349b676752b04e2bf2ce16e2ac48c74147ba153ca11e8bd56530c2e

352 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic

The sample is a Microsoft Word document exploiting CVE-2008-2244, which is known to deliver a malicious executable. The document contains an embedded PE executable and references to Windows API functions commonly used for execution and loading of payloads, such as WinExec, CreateProcess, LoadLibrary, and GetProcAddress. No VBA macros were extractable, but the presence of the embedded executable and the exploit signature strongly indicate a malicious payload delivery mechanism.

Heuristics 11

CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244

Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 243,712 bytes but its declared streams total only 20,794 bytes — 222,918 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.state.gov/g/drl/rls/hrrpt/2007/
- http://www.state.gov/g/drl/rls/hrrpt/2007/100518.htm#tibet

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00007800.exe` `96be31b903f5da46dae9e6b34fba6c80853d83e02cc36221933a59b7694b4821`	embedded-pe	Office MZ+PE at offset 0x7800	212992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.