MALICIOUS
528
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1203 Exploitation for Client Execution
The sample is an OLE file containing a VBA macro and an embedded PE executable. The VBA macro likely facilitates the execution of the embedded PE file, which is a common technique for delivering malware. The presence of WinExec, ShellExecute, LoadLibrary, and GetProcAddress API calls further suggests the macro is designed to load and run the embedded payload. The ClamAV detection of 'Win.Trojan.Pcclient-3561' on both the container and the extracted artifact confirms its malicious nature.
Heuristics 11
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Trojan.Pcclient-3561 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pcclient-3561
-
XOR-encoded strings (key 0x94) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0x94: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess�', 'CreateFileA�'
Disassembly
Attempted x86 opcode disassembly00001571 fff1 push ecx 00001573 e6fa out 0xfa, al 00001575 f1 int1 00001576 f8 clc 00001577 a7 cmpsd dword ptr [esi], dword ptr es:[edi] 00001578 a6 cmpsb byte ptr [esi], byte ptr es:[edi] 00001579 baf0f8f894 mov edx, 0x94f8f8f0 0000157E f7aec8eab0e0 imul dword ptr [esi - 0x1f4f1538] 00001584 f1 int1 00001585 f9 stc 00001586 e4ba in al, 0xba 00001588 f0 .byte 0xf0 00001589 fb sti 0000158A f7949494949494 not dword ptr [esp + edx*4 - 0x6b6b6b6c] 00001591 94 xchg esp, eax 00001592 94 xchg esp, eax 00001593 94 xchg esp, eax 00001594 94 xchg esp, eax 00001595 94 xchg esp, eax 00001596 94 xchg esp, eax 00001597 94 xchg esp, eax 00001598 94 xchg esp, eax 00001599 94 xchg esp, eax 0000159A 94 xchg esp, eax 0000159B 94 xchg esp, eax 0000159C 94 xchg esp, eax 0000159D 94 xchg esp, eax 0000159E 94 xchg esp, eax 0000159F 94 xchg esp, eax 000015A0 94 xchg esp, eax 000015A1 94 xchg esp, eax 000015A2 94 xchg esp, eax 000015A3 94 xchg esp, eax 000015A4 94 xchg esp, eax 000015A5 94 xchg esp, eax 000015A6 94 xchg esp, eax 000015A7 94 xchg esp, eax 000015A8 94 xchg esp, eax 000015A9 94 xchg esp, eax 000015AA 94 xchg esp, eax 000015AB 94 xchg esp, eax 000015AC f0 .byte 0xf0 000015AD 1f pop ds 000015AE a194949494 mov eax, dword ptr [0x94949494] 000015B3 39d4 cmp esp, edx 000015B5 e093 loopne 0x154a 000015B7 dc1f fcomp qword ptr [edi] 000015B9 44 inc esp 000015BA 1f pop ds 000015BB 94 xchg esp, eax 000015BC 7f62 jg 0x1620 000015BE 1f pop ds 000015BF d6 salc 000015C0 90 nop 000015C1 b194 mov cl, 0x94 000015C3 94 xchg esp, eax 000015C4 6b6bf215 imul ebp, dword ptr [ebx - 0xe], 0x15 000015C8 ac lodsb al, byte ptr [esi] 000015C9 d9ce fxch st(6) 000015CB e198 loope 0x1565 000015CD 1f pop ds 000015CE dc .byte 0xdc 000015CF a897 test al, 0x97
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 66,263 bytes but its declared streams total only 16,523 bytes — 49,740 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 357 bytes |
SHA-256: 45a4b3651762a7c760540d16489d504e5ad9462cf46675ae9168748a05b0f967 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton" |
|||
embedded_office_00005800.exe |
embedded-pe | Office MZ+PE at offset 0x5800 | 43735 bytes |
SHA-256: a046feccf44503e1c928c558cc8dc969656605f767294ff132a8339941b8d186 |
|||
|
Detection
ClamAV:
Win.Trojan.Pcclient-3561
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.