Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b003a5c3c1126015…

MALICIOUS

Office (OLE)

88.0 KB Created: 2010-06-29 01:30:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 8fbd81be95356e6979ae0410bc845a77 SHA-1: 6bc0c2fe2eac76eaf07c1b0e3ff1344ee1080f0c SHA-256: b003a5c3c1126015b630f246820a7ede9f6e864e77e7b82ad92a4fd7a70c5e67
340 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document exploiting CVE-2008-2244 to deliver a PE executable. The document body is written in Chinese and discusses a request for medical expense reimbursement, likely a lure to encourage the user to open the embedded malicious executable. The embedded executable was detected by ClamAV as Win.Trojan.Agent-1266464.

Heuristics 6

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 90,112 bytes but its declared streams total only 16,543 bytes — 73,569 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004e00.exe embedded-pe Office MZ+PE at offset 0x4E00 70144 bytes
SHA-256: 242de82cd12412fd632f69948b87693945573cdbe2912ba5084d1aebaa1dcea5
Detection
ClamAV: Win.Trojan.Agent-1266464
Obfuscation or payload: unlikely