Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e71148f1a3f7263a…

MALICIOUS

Office (OLE)

778.1 KB Created: 2007-08-13 02:12:00 Authoring application: Microsoft Office Word First seen: 2015-10-05
MD5: b7e344ad94fe7be30ba8a3d3b6cf29fc SHA-1: a818f1d05224531873eee20ace94890559090ad1 SHA-256: e71148f1a3f7263a164aa0a6ed969afa23ddaf92a158bf3cbf622d34aab96c17
560 Risk Score

Heuristics 13

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • CVE-2008-2244 — Microsoft Word record-parsing payload (in carved embedded Office document) critical CVE likely CVE_2008_2244
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDX)
    Disassembly
    x86 disassembly · validity: code (0.719) — 3/5 branch targets land on an instruction boundary (60% coherence)
    0002C991  e800000000        call 0x2c996
0002C996  5a                pop edx
0002C997  85ce              test esi, ecx
0002C999  f6d8              neg al
0002C99B  87d0              xchg eax, edx
0002C99D  8ac2              mov al, dl
0002C99F  e800000000        call 0x2c9a4
0002C9A4  5a                pop edx
0002C9A5  87d0              xchg eax, edx
0002C9A7  eb07              jmp 0x2c9b0
0002C9A9  ac                lodsb al, byte ptr [esi]
0002C9AA  81aa77787d96f7c129e8  sub dword ptr [edx - 0x69828789], 0xe829c1f7
0002C9B4  4b                dec ebx
0002C9B5  1089fae80000      adc byte ptr [ecx + 0xe8fa], cl
0002C9BB  0000              add byte ptr [eax], al
0002C9BD  5a                pop edx
0002C9BE  0fc1d0            xadd eax, edx
0002C9C1  f6c6bb            test dh, 0xbb
0002C9C4  0fc1d0            xadd eax, edx
0002C9C7  8d0d00a3ba9d      lea ecx, [0x9dbaa300]
0002C9CD  31fa              xor edx, edi
0002C9CF  0fc1d0            xadd eax, edx
0002C9D2  eb07              jmp 0x2c9db
0002C9D4  4c                dec esp
0002C9D5  a14a97189d        mov eax, dword ptr [0x9d18974a]
0002C9DA  360fc1d0          xadd eax, edx
0002C9DE  0fb7d7            movzx edx, di
0002C9E1  85ce              test esi, ecx
0002C9E3  ba416147e3        mov edx, 0xe3476141
0002C9E8  c0e85b            shr al, 0x5b
0002C9EB  ffc2              inc edx
0002C9ED  8d                .byte 0x8d
0002C9EE  0d                .byte 0x0d
0002C9EF  a0                .byte 0xa0
0002C9F0  e6                .byte 0xe6
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 796,790 bytes but its declared streams total only 18,208 bytes — 778,582 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002b96f.exe embedded-pe Office MZ+PE at offset 0x2B96F 618247 bytes
SHA-256: 3196eb4e867b088a79c51d6a79b701bf34f627ae004ace54bc39db97be714923
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx
embedded_office_off0000560d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x560D 774761 bytes
SHA-256: 4b9d348030fefeb197b7bb8c309bc5ed623dbc8605ec78fd09ff4b6a23dce21d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateFileW, GetProcAddress, LoadLibraryA, OpenProcess, VirtualAlloc, VirtualAllocEx

Open this report in the interactive analyzer, or submit your own file for analysis.