Office (OLE) malware analysis — malicious · f3cf64a0fc5f2160

MALICIOUS

Office (OLE)

67.9 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 55e66745fd9bfe4f943a67ae50e709fa SHA-1: 3dfd03bbdaf9876f0bbaf5e6dc21125c7183da6e SHA-256: f3cf64a0fc5f2160c77ce371cfbd2051a2f3985b9d2c908d2691dde21a48802f

720 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2008-2244, a known vulnerability for parsing records. It contains an embedded PE executable, identified by ClamAV as Win.Trojan.Pcclient-3153. The heuristics indicate the use of APIs like CreateProcess, ShellExecute, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, strongly suggesting the dropped executable is designed to execute malicious code, likely by injecting into another process or launching a new one.

Heuristics 15

CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244

Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
ClamAV: Win.Trojan.Pcclient-3153 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pcclient-3153
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes

Disassembly

Attempted x86 opcode disassembly

000005C0  90                nop
000005C1  90                nop
000005C2  90                nop
000005C3  90                nop
000005C4  90                nop
000005C5  90                nop
000005C6  90                nop
000005C7  90                nop
000005C8  90                nop
000005C9  90                nop
000005CA  90                nop
000005CB  90                nop
000005CC  90                nop
000005CD  90                nop
000005CE  90                nop
000005CF  90                nop
000005D0  90                nop
000005D1  90                nop
000005D2  90                nop
000005D3  90                nop
000005D4  90                nop
000005D5  90                nop
000005D6  90                nop
000005D7  90                nop
000005D8  90                nop
000005D9  90                nop
000005DA  90                nop
000005DB  90                nop
000005DC  90                nop
000005DD  90                nop
000005DE  90                nop
000005DF  90                nop
000005E0  90                nop
000005E1  90                nop
000005E2  90                nop
000005E3  90                nop
000005E4  90                nop
000005E5  90                nop
000005E6  90                nop
000005E7  90                nop
000005E8  90                nop
000005E9  90                nop
000005EA  90                nop
000005EB  90                nop
000005EC  90                nop
000005ED  90                nop
000005EE  90                nop
000005EF  90                nop
000005F0  90                nop
000005F1  90                nop
000005F2  90                nop
000005F3  90                nop
000005F4  90                nop
000005F5  90                nop
000005F6  90                nop
000005F7  90                nop
000005F8  90                nop
000005F9  90                nop
000005FA  90                nop
000005FB  90                nop
000005FC  90                nop
000005FD  90                nop
000005FE  90                nop
000005FF  90                nop
00000600  e989feffff        jmp 0x48e
00000605  0000              add byte ptr [eax], al
00000607  0000              add byte ptr [eax], al
00000609  00ce              add dh, cl
0000060B  0900              or dword ptr [eax], eax
0000060D  0000              add byte ptr [eax], al
0000060F  0000              add byte ptr [eax], al
00000611  0000              add byte ptr [eax], al
00000613  0000              add byte ptr [eax], al
00000615  0000              add byte ptr [eax], al
00000617  0000              add byte ptr [eax], al
00000619  007a03            add byte ptr [edx + 3], bh
0000061C  0000              add byte ptr [eax], al
0000061E  0000              add byte ptr [eax], al

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)

Disassembly

Attempted x86 opcode disassembly

00009B0E  e800000000        call 0x9b13
00009B13  58                pop eax
00009B14  2d0e090000        sub eax, 0x90e
00009B19  83e805            sub eax, 5
00009B1C  89442414          mov dword ptr [esp + 0x14], eax
00009B20  2d00500000        sub eax, 0x5000
00009B25  2d00004000        sub eax, 0x400000
00009B2A  89442410          mov dword ptr [esp + 0x10], eax
00009B2E  e800000000        call 0x9b33
00009B33  5d                pop ebp
00009B34  81ed18134000      sub ebp, 0x401318
00009B3A  81c520000000      add ebp, 0x20
00009B40  8dbd0e154000      lea edi, [ebp + 0x40150e]
00009B46  81c700000000      add edi, 0
00009B4C  81ed20000000      sub ebp, 0x20
00009B52  ba22d51393        mov edx, 0x9313d522
00009B57  b919110000        mov ecx, 0x1119
00009B5C  8a07              mov al, byte ptr [edi]
00009B5E  32c2              xor al, dl
00009B60  2ac2              sub al, dl
00009B62  2ac2              sub al, dl
00009B64  32c5              xor al, ch
00009B66  2ac2              sub al, dl
00009B68  d2c8              ror al, cl
00009B6A  02c1              add al, cl
00009B6C  02c6              add al, dh

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 69,533 bytes but its declared streams total only 26,783 bytes — 42,750 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00007600.exe`	embedded-pe	Office MZ+PE at offset 0x7600	39325 bytes
SHA-256: `5e937e221502846ffdcb6dc9f4877de2c9a9e42a6d2d98e7d5cd1bfbd340d9bc`
Detection ClamAV: Win.Trojan.Pcclient-3153 Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: SC_STR_CREATEREMOTETHREAD, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress, VirtualAlloc, VirtualAllocEx, WriteProcessMemory

Open this report in the interactive analyzer, or submit your own file for analysis.