MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document that contains a critical heuristic indicating the presence of a PE-like payload exploiting CVE-2008-2244. It also references LoadLibrary and GetProcAddress APIs, suggesting dynamic loading of malicious code. The document body appears to be benign meeting minutes, indicating the lure is likely the document itself, not its content.
Heuristics 6
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 286,720 bytes but its declared streams total only 20,621 bytes — 266,099 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00006000.exe |
embedded-pe | Office MZ+PE at offset 0x6000 | 262144 bytes |
SHA-256: e5f90cc5309da26da37bef9d46b09b92ee52b9f437254420d93649da8ee6cc8a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.