MALICIOUS
420
Risk Score
Heuristics 10
-
CVE-2008-4841 — WordPad Word97 converter exploit critical CVE likely CVE_2008_4841Word 97-era document contains the CVE-2008-4841 converter exploit shape: shellcode bytes are embedded immediately before a malformed Word table SPRM cluster that also resembles older Word table-SPRM corruption. This is reported as the WordPad Text Converter issue instead of CVE-2006-6456 because the trigger is the converter-facing Word97 carrier with adjacent native payload bytes.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 307,712 bytes but its declared streams total only 94,801 bytes — 212,911 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00028784.exe |
embedded-pe | Office MZ+PE at offset 0x28784 | 141948 bytes |
SHA-256: cb2b96959cce1ebb7a875041c1d632b2c8b0bc05ef01b7c3bc9345031ca11993 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmd.exe /c
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.