Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b5dc9df503fa285d…

MALICIOUS

Office (OLE)

45.1 KB Created: 2005-06-21 13:04:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: e119e109a8d970363992136eab44ad32 SHA-1: 09b20bbb12723c8f05b6a828962ef7b086a7496e SHA-256: b5dc9df503fa285d8a22b344f5b179eb55b42752a76eecdec19f9c4461aaa18c
410 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious OLE document exploiting CVE-2008-2244, which is designed to drop and execute a PE payload. Static analysis identified an embedded PE executable and heuristics related to process creation and memory manipulation APIs, indicating the execution of malicious code. The VBA macro, though containing no executable statements, is present and associated with the document.

Heuristics 11

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Exploit.MS03-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.MS03-1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00001BA5  648b1530000000    mov edx, dword ptr fs:[0x30]
00001BAC  e9df020000        jmp 0x1e90
00001BB1  8f85c4feffff      pop dword ptr [ebp - 0x13c]
00001BB7  8b420c            mov eax, dword ptr [edx + 0xc]
00001BBA  8b701c            mov esi, dword ptr [eax + 0x1c]
00001BBD  ad                lodsd eax, dword ptr [esi]
00001BBE  8b7808            mov edi, dword ptr [eax + 8]
00001BC1  89bdccfeffff      mov dword ptr [ebp - 0x134], edi
00001BC7  8b473c            mov eax, dword ptr [edi + 0x3c]
00001BCA  8b540778          mov edx, dword ptr [edi + eax + 0x78]
00001BCE  03d7              add edx, edi
00001BD0  8b5a20            mov ebx, dword ptr [edx + 0x20]
00001BD3  03df              add ebx, edi
00001BD5  33c9              xor ecx, ecx
00001BD7  41                inc ecx
00001BD8  8b348b            mov esi, dword ptr [ebx + ecx*4]
00001BDB  03f7              add esi, edi
00001BDD  b847657450        mov eax, 0x50746547
00001BE2  3b06              cmp eax, dword ptr [esi]
00001BE4  75f1              jne 0x1bd7
00001BE6  b8726f6341        mov eax, 0x41636f72
00001BEB  3b4604            cmp eax, dword ptr [esi + 4]
00001BEE  75e7              jne 0x1bd7
00001BF0  8b5a24            mov ebx, dword ptr [edx + 0x24]
00001BF3  03df              add ebx, edi
00001BF5  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00001BF9  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
00001BFC  03df              add ebx, edi
00001BFE  8b048b            mov eax, dword ptr [ebx + ecx*4]
00001C01  03c7              add eax, edi
00001C03  89                .byte 0x89
00001C04  85                .byte 0x85
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 46,150 bytes but its declared streams total only 17,619 bytes — 28,531 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 369 bytes
SHA-256: 0a0073e6700d52a50d0c1e9ea0537e97be4dbdf563f1ead10aa7aa70adf4375d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "PropertyTreeCtl1, 0, 0, PROPERTYTREELib, PropertyTreeCtl"
embedded_office_00006000.exe embedded-pe Office MZ+PE at offset 0x6000 21574 bytes
SHA-256: 0a9c99e72d8eb0277618f52ca3b272bc839a2f360eb02ee9c4e613f5b0cad85c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.