MALICIOUS
922
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.001 PowerShell
T1059.003 Windows Command Shell
The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 and CVE-2008-2244 to embed and execute a PE executable. Heuristics indicate the use of WinExec, CreateProcess, ShellExecute, URLDownloadToFile, VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, suggesting a complex payload execution chain. The embedded PE executable, detected by ClamAV as Win.Malware.Razy-9886340-0, is the primary malicious component.
Heuristics 20
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Win.Malware.Razy-9886340-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Razy-9886340-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
x86 GetPC stub (CALL $+5; POP EDX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EDX)
Disassembly
Attempted x86 opcode disassembly0002CC72 e800000000 call 0x2cc77 0002CC77 5a pop edx 0002CC78 ffc2 inc edx 0002CC7A 0fc0c1 xadd cl, al 0002CC7D e800000000 call 0x2cc82 0002CC82 5a pop edx 0002CC83 f7d2 not edx 0002CC85 0fafd7 imul edx, edi 0002CC88 0fbeca movsx ecx, dl 0002CC8B d1f2 sal edx, 1 0002CC8D 0fafd1 imul edx, ecx 0002CC90 f6d8 neg al 0002CC92 bab983e049 mov edx, 0x49e083b9 0002CC97 69c88060c309 imul ecx, eax, 0x9c36080 0002CC9D 8d15d1abaefa lea edx, [0xfaaeabd1] 0002CCA3 85ce test esi, ecx 0002CCA5 eb07 jmp 0x2ccae 0002CCA7 21ca and edx, ecx 0002CCA9 17 pop ss 0002CCAA 98 cwde 0002CCAB 1db6b3e800 sbb eax, 0xe8b3b6 0002CCB0 0000 add byte ptr [eax], al 0002CCB2 005a85 add byte ptr [edx - 0x7b], bl 0002CCB5 ce into 0002CCB6 86c1 xchg cl, al 0002CCB8 0fc1d0 xadd eax, edx 0002CCBB 2cc3 sub al, 0xc3 0002CCBD 31fa xor edx, edi 0002CCBF 8ac2 mov al, dl 0002CCC1 0fafd7 imul edx, edi 0002CCC4 f6c6b3 test dh, 0xb3 0002CCC7 e800000000 call 0x2cccc 0002CCCC 5a pop edx 0002CCCD c3 ret 0002CCCE 0000 add byte ptr [eax], al 0002CCD0 0000 add byte ptr [eax], al
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 746,606 bytes but its declared streams total only 18,208 bytes — 728,398 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upx.tsx.org In document text (OLE body)
- http://microsoft.com0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
- http://go.microsoft.com/fwlink/?LinkId=96782ARPNOMODIFYARPURLUpdateInfohttp://go.microsoft.com/fwlink/?LinkId=96789comspec_cmd%comspec%DDPatchDiskNo1[DiskIn document text (OLE body)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002b96f.exe |
embedded-pe | Office MZ+PE at offset 0x2B96F | 568063 bytes |
SHA-256: 4ee1a24b65e21d84af09a84042e14fa77ae4b033dbaaeb660cd63a4829111e79 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, VirtualProtect, CreateRemoteThread, VirtualAlloc, VirtualAllocEx
|
|||
embedded_office_off0000560d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x560D | 724577 bytes |
SHA-256: cc2f37258b372b1fb18e80d3a3111260fab58329a56666db12e3a9db359d9160 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, LoadLibraryA, VirtualProtect, CreateRemoteThread, VirtualAlloc, VirtualAllocEx
|
|||
embedded_office_00002a00.exe |
embedded-pe | Office MZ+PE at offset 0x2A00 | 295896 bytes |
SHA-256: 5241f8713bf506539b733ff12ef20e4a39bff6a45720a638020a0b1baadc88f9 |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
unlikely
|
|||
embedded_office_off0006b696.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6B696 | 306648 bytes |
SHA-256: b0d33837444eb7d0ae2ea084efd543534befa09c76d204f9aadd2b2c1945b79a |
|||
|
Detection
ClamAV:
Win.Malware.Razy-9886340-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.