Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cfd8bf2ca1961c6e…

MALICIOUS

Office (OLE)

846.6 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2015-09-17
MD5: 2f01aad586b67c6e0cc5c5025060ce80 SHA-1: 68642580ac8dc173dab31bc9a8e9624ae06466bc SHA-256: cfd8bf2ca1961c6e8e00e879329f00fc2b90d8168dfb350e5c7cda7e559467e5
802 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is a malicious OLE document that exploits two critical vulnerabilities (CVE-2007-3899 and CVE-2008-2244) to embed and execute a PE file. The embedded executable was detected by ClamAV as Win.Malware.Razy-9886340-0. The document also contains references to WinExec, CreateProcess, VirtualAlloc, VirtualProtect, CreateRemoteThread, LoadLibrary, and GetProcAddress APIs, indicating its payload functionality. The presence of a NOP sled and GetPC stub further suggests shellcode execution.

Heuristics 18

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Razy-9886340-0
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00050D75  90                nop
00050D76  90                nop
00050D77  90                nop
00050D78  90                nop
00050D79  90                nop
00050D7A  90                nop
00050D7B  90                nop
00050D7C  90                nop
00050D7D  90                nop
00050D7E  90                nop
00050D7F  90                nop
00050D80  90                nop
00050D81  90                nop
00050D82  90                nop
00050D83  90                nop
00050D84  90                nop
00050D85  90                nop
00050D86  90                nop
00050D87  90                nop
00050D88  90                nop
00050D89  90                nop
00050D8A  90                nop
00050D8B  90                nop
00050D8C  90                nop
00050D8D  90                nop
00050D8E  90                nop
00050D8F  90                nop
00050D90  90                nop
00050D91  90                nop
00050D92  90                nop
00050D93  90                nop
00050D94  90                nop
00050D95  90                nop
00050D96  90                nop
00050D97  90                nop
00050D98  90                nop
00050D99  90                nop
00050D9A  90                nop
00050D9B  90                nop
00050D9C  90                nop
00050D9D  90                nop
00050D9E  90                nop
00050D9F  90                nop
00050DA0  90                nop
00050DA1  90                nop
00050DA2  90                nop
00050DA3  90                nop
00050DA4  90                nop
00050DA5  90                nop
00050DA6  90                nop
00050DA7  90                nop
00050DA8  90                nop
00050DA9  90                nop
00050DAA  90                nop
00050DAB  90                nop
00050DAC  90                nop
00050DAD  90                nop
00050DAE  90                nop
00050DAF  90                nop
00050DB0  90                nop
00050DB1  90                nop
00050DB2  90                nop
00050DB3  90                nop
00050DB4  90                nop
00050DB5  90                nop
00050DB6  90                nop
00050DB7  90                nop
00050DB8  90                nop
00050DB9  90                nop
00050DBA  90                nop
00050DBB  90                nop
00050DBC  90                nop
00050DBD  90                nop
00050DBE  90                nop
00050DBF  90                nop
00050DC0  90                nop
00050DC1  90                nop
00050DC2  90                nop
00050DC3  90                nop
00050DC4  90                nop
00050DC5  90                nop
00050DC6  90                nop
00050DC7  90                nop
00050DC8  90                nop
00050DC9  90                nop
00050DCA  90                nop
00050DCB  90                nop
00050DCC  90                nop
00050DCD  90                nop
00050DCE  90                nop
00050DCF  90                nop
00050DD0  90                nop
00050DD1  90                nop
00050DD2  90                nop
00050DD3  90                nop
00050DD4  90                nop
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00050CBE  e800000000        call 0x50cc3
00050CC3  58                pop eax
00050CC4  f7d8              neg eax
00050CC6  f7d9              neg ecx
00050CC8  eb03              jmp 0x50ccd
00050CCA  90                nop
00050CCB  90                nop
00050CCC  90                nop
00050CCD  0fc1c9            xadd ecx, ecx
00050CD0  85ce              test esi, ecx
00050CD2  0fafc8            imul ecx, eax
00050CD5  baf9dbe103        mov edx, 0x3e1dbf9
00050CDA  f7d1              not ecx
00050CDC  0fbfca            movsx ecx, dx
00050CDF  8d15925ab9b3      lea edx, [0xb3b95a92]
00050CE5  8d0dc2cf77dc      lea ecx, [0xdc77cfc2]
00050CEB  0fbfc2            movsx eax, dx
00050CEE  2d22d6f284        sub eax, 0x84f2d622
00050CF3  f7c65267958d      test esi, 0x8d956752
00050CF9  49                dec ecx
00050CFA  ffc0              inc eax
00050CFC  11da              adc edx, ebx
00050CFE  e802000000        call 0x50d05
00050D03  90                nop
00050D04  90                nop
00050D05  5a                pop edx
00050D06  8d0d501ef6fc      lea ecx, [0xfcf61e50]
00050D0C  0fbfc8            movsx ecx, ax
00050D0F  8bc0              mov eax, eax
00050D11  69cf604bf29c      imul ecx, edi, 0x9cf24b60
00050D17  ffc0              inc eax
00050D19  f7                .byte 0xf7
00050D1A  c5                .byte 0xc5
00050D1B  e5b0              in eax, 0xb0
00050D1D  fc                cld
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 866,891 bytes but its declared streams total only 18,208 bytes — 848,683 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://upx.tsx.org In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 688348 bytes
SHA-256: 3ce686fbf9c303add6f324adf401a7ccd9807dea35a912f1d58d1363e6d38abd
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileA, CreateRemoteThread, GetProcAddress, LoadLibraryA, LoadLibraryW, VirtualProtect
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 844862 bytes
SHA-256: 53e91b77f1b79cb5327933a87f1ac3498f71704a234f4d75c84eeb1cb6bc8d22
Detection
ClamAV: Win.Malware.Razy-9886340-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileA, CreateRemoteThread, GetProcAddress, LoadLibraryA, LoadLibraryW, VirtualProtect

Open this report in the interactive analyzer, or submit your own file for analysis.