Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c7996153ac5b62d9…

MALICIOUS

Office (OLE)

300.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-30
MD5: 49078dc111d90d27f521e4fdb16d9f87 SHA-1: 0e3f91f6d1ad9ad67be9b6a3eeaa2b780c97f990 SHA-256: c7996153ac5b62d904e7ddbd7e56f072c2adb0a51aaf3a362474ad61f4553450
420 Risk Score

Heuristics 10

  • CVE-2008-4841 — WordPad Word97 converter exploit critical CVE likely CVE_2008_4841
    Word 97-era document contains the CVE-2008-4841 converter exploit shape: shellcode bytes are embedded immediately before a malformed Word table SPRM cluster that also resembles older Word table-SPRM corruption. This is reported as the WordPad Text Converter issue instead of CVE-2006-6456 because the trigger is the converter-facing Word97 carrier with adjacent native payload bytes.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 307,712 bytes but its declared streams total only 94,801 bytes — 212,911 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00028784.exe embedded-pe Office MZ+PE at offset 0x28784 141948 bytes
SHA-256: cb2b96959cce1ebb7a875041c1d632b2c8b0bc05ef01b7c3bc9345031ca11993
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd.exe /c