MALICIOUS
880
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE executable. The embedded executable was detected by ClamAV as Win.Worm.Renamer-6809877-0. The heuristics indicate the use of APIs such as CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is designed to load and run malicious code.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Worm.Renamer-6809877-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Worm.Renamer-6809877-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002C99A e800000000 call 0x2c99f 0002C99F 5a pop edx 0002C9A0 e800000000 call 0x2c9a5 0002C9A5 5a pop edx 0002C9A6 ffc2 inc edx 0002C9A8 8ac2 mov al, dl 0002C9AA 85ce test esi, ecx 0002C9AC 84f5 test ch, dh 0002C9AE d1f2 sal edx, 1 0002C9B0 0fafd1 imul edx, ecx 0002C9B3 e800000000 call 0x2c9b8 0002C9B8 5a pop edx 0002C9B9 e800000000 call 0x2c9be 0002C9BE 5a pop edx 0002C9BF 87d0 xchg eax, edx 0002C9C1 f6d8 neg al 0002C9C3 31fa xor edx, edi 0002C9C5 c0e8ab shr al, 0xab 0002C9C8 e800000000 call 0x2c9cd 0002C9CD 5a pop edx 0002C9CE 31fa xor edx, edi 0002C9D0 f6d8 neg al 0002C9D2 e800000000 call 0x2c9d7 0002C9D7 5a pop edx 0002C9D8 f7d2 not edx 0002C9DA 89fa mov edx, edi 0002C9DC 85ce test esi, ecx 0002C9DE 0fbeca movsx ecx, dl 0002C9E1 31fa xor edx, edi 0002C9E3 0fc0c1 xadd cl, al 0002C9E6 ffc2 inc edx 0002C9E8 0fbeca movsx ecx, dl 0002C9EB 85ce test esi, ecx 0002C9ED f6d8 neg al 0002C9EF eb01 jmp 0x2c9f2 0002C9F1 96 xchg esi, eax 0002C9F2 ffc2 inc edx 0002C9F4 86c1 xchg cl, al 0002C9F6 87d0 xchg eax, edx 0002C9F8 84f5 test ch, dh
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 469,594 bytes but its declared streams total only 18,208 bytes — 451,386 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 291051 bytes |
SHA-256: 1aa6015aa4b23b0b261ce0334c2746ae2c668d6c34ae4c777ce572f494cc57d3 |
|||
|
Detection
ClamAV:
Win.Worm.Renamer-6809877-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessA, GetProcAddress, LoadLibraryA, RtlMoveMemory, VirtualProtect, CreateRemoteThread
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 447565 bytes |
SHA-256: 38e98abb23ea939c21e34cf6f93eb2d9576e807fadcf7cbeebcf4bbec273a68f |
|||
|
Detection
ClamAV:
Win.Worm.Renamer-6809877-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: CreateProcessA, GetProcAddress, LoadLibraryA, RtlMoveMemory, VirtualProtect, CreateRemoteThread
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.