Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b7886ec61b160473…

MALICIOUS

Office (OLE)

120.5 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: b0cce568f22fc6f1e668f219fbcc9722 SHA-1: 6cb2ab5916ec684a0e0851fcb570d8b868c5bed7 SHA-256: b7886ec61b16047338afc6f36b7e05a0c3994cc61f9dd2bccafbf9159ce989e1
400 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that exploits CVE-2008-2244, a vulnerability allowing for remote code execution. It contains an embedded PE executable and references to Windows API functions like WinExec and CreateProcess, indicating it's designed to launch a secondary payload. The VBA macro is present but appears to be non-functional or a placeholder.

Heuristics 9

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Trojan.1Table-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.1Table-1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 123,392 bytes but its declared streams total only 60,918 bytes — 62,474 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 549 bytes
SHA-256: be8f931d645645cfa550bd4b2bdf38625cb529e04ccbf8f7415ade57d9492448
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub HANAMI()
Attribute HANAMI.VB_Description = "宏在 2002-5-20 由 EFairy 录制"
Attribute HANAMI.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.HANAMI"
'
' HANAMI Macro
' 宏在 2002-5-20 由 EFairy 录制
'
End Sub
embedded_office_00010200.exe embedded-pe Office MZ+PE at offset 0x10200 57344 bytes
SHA-256: 47076486a967fe258d71654adc3e51f47c340b1370a3843a14061e0826a9d448

Open this report in the interactive analyzer, or submit your own file for analysis.