MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a malicious Microsoft Word document that exploits the CVE-2007-3899 vulnerability. This vulnerability allows for arbitrary code execution through a malformed string. The VBA project is present but contains no executable statements, suggesting the exploit is likely achieved through the malformed string itself rather than macro execution. The presence of VirtualAlloc API references further indicates memory manipulation for code execution.
Heuristics 3
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 346 bytes |
SHA-256: d8d6aa9142b7c524ecac8bd46c4c0a184757ecd963013bdb1bed432d0535218b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tetracycline"
Attribute VB_Base = "0{B37FF45F-C671-4713-A11F-F0913CCE5B5D}{FDFD2B12-39F1-41E6-BC62-956D9D337837}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.