Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a0c58cc538808341…

MALICIOUS

Office (OLE) / .DOC

70.1 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 80ff010a280cf81761c71a929daea53a SHA-1: 1d60f51315c68f1c227b64a218e5efd430546bc5 SHA-256: a0c58cc53880834174be4da58b64f447b0503df6948823f291056c0697dd9f58
384 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1204 User Execution

The sample is a malicious Microsoft Word document that exploits CVE-2008-2244. It contains an embedded PE executable, indicating it's designed to download and execute a second-stage payload. The presence of VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress API calls further suggests malicious code execution and memory manipulation. The ClamAV detection of Win.Worm.Autorun-2550 supports the malicious classification.

Heuristics 10

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Worm.Autorun-2550 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Autorun-2550
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 71,764 bytes but its declared streams total only 16,486 bytes — 55,278 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004c00.exe
a3b40cf0bcd745cab51d65c57ad84723696f270e587b7e438097184874e75606		 embedded-pe Office MZ+PE at offset 0x4C00 52308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.