MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is identified by ClamAV as Osx.Trojan.CVE_2009_0563-4, indicating it exploits a known vulnerability. Heuristics for NOP sleds and GetPC stubs suggest shellcode execution, and the large slack space in the OLE structure is anomalous. These factors combined point to a malicious document designed to execute arbitrary code, likely to download a further stage.
Heuristics 5
-
ClamAV: Osx.Trojan.CVE_2009_0563-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Osx.Trojan.CVE_2009_0563-4
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00001046 90 nop 00001047 90 nop 00001048 90 nop 00001049 90 nop 0000104A 90 nop 0000104B 90 nop 0000104C 90 nop 0000104D 90 nop 0000104E 90 nop 0000104F 90 nop 00001050 90 nop 00001051 90 nop 00001052 90 nop 00001053 90 nop 00001054 90 nop 00001055 90 nop 00001056 90 nop 00001057 90 nop 00001058 90 nop 00001059 90 nop 0000105A 90 nop 0000105B 90 nop 0000105C 90 nop 0000105D 90 nop 0000105E 90 nop 0000105F 90 nop 00001060 90 nop 00001061 90 nop 00001062 90 nop 00001063 90 nop 00001064 90 nop 00001065 90 nop 00001066 90 nop 00001067 90 nop 00001068 90 nop 00001069 90 nop 0000106A 90 nop 0000106B 90 nop 0000106C 90 nop 0000106D 90 nop 0000106E 90 nop 0000106F 90 nop 00001070 90 nop 00001071 90 nop 00001072 90 nop 00001073 90 nop 00001074 90 nop 00001075 90 nop 00001076 90 nop 00001077 90 nop 00001078 90 nop 00001079 90 nop 0000107A 90 nop 0000107B 90 nop 0000107C 90 nop 0000107D 90 nop 0000107E 90 nop 0000107F 0909 or dword ptr [ecx], ecx 00001081 0909 or dword ptr [ecx], ecx 00001083 099090909090 or dword ptr [eax - 0x6f6f6f70], edx 00001089 90 nop 0000108A 90 nop 0000108B 90 nop 0000108C 90 nop 0000108D 90 nop 0000108E 90 nop 0000108F 90 nop 00001090 90 nop 00001091 90 nop 00001092 90 nop 00001093 90 nop 00001094 10f0 adc al, dh 00001096 e38f jecxz 0x1027 00001098 0000 add byte ptr [eax], al 0000109A 0000 add byte ptr [eax], al 0000109C 0000 add byte ptr [eax], al 0000109E 0000 add byte ptr [eax], al 000010A0 0000 add byte ptr [eax], al 000010A2 0000 add byte ptr [eax], al 000010A4 0000 add byte ptr [eax], al
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0000891E e800000000 call 0x8923 00008923 58 pop eax 00008924 ffb01b5d0000 push dword ptr [eax + 0x5d1b] 0000892A 8b80cb850000 mov eax, dword ptr [eax + 0x85cb] 00008930 ffe0 jmp eax 00008932 e800000000 call 0x8937 00008937 58 pop eax 00008938 8b80bb850000 mov eax, dword ptr [eax + 0x85bb] 0000893E ffe0 jmp eax 00008940 55 push ebp 00008941 89e5 mov ebp, esp 00008943 57 push edi 00008944 56 push esi 00008945 53 push ebx 00008946 83ec04 sub esp, 4 00008949 817d10c0000000 cmp dword ptr [ebp + 0x10], 0xc0 00008950 7426 je 0x8978 00008952 817d1000010000 cmp dword ptr [ebp + 0x10], 0x100 00008959 7428 je 0x8983 0000895B 817d1080000000 cmp dword ptr [ebp + 0x10], 0x80 00008962 b801000000 mov eax, 1 00008967 0f85ee030000 jne 0x8d5b 0000896D 8b4508 mov eax, dword ptr [ebp + 8] 00008970 c7000a000000 mov dword ptr [eax], 0xa 00008976 eb14 jmp 0x898c 00008978 8b7d08 mov edi, dword ptr [ebp + 8] 0000897B c7 .byte 0xc7 0000897C 07 pop es 0000897D 0c .byte 0x0c
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 189,674 bytes but its declared streams total only 22,878 bytes — 166,796 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.