MALICIOUS
420
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a Microsoft Word document that contains VBA macros and an embedded executable. Critical heuristics indicate exploitation of CVE-2008-2244 and the presence of an embedded PE executable, strongly suggesting it's a dropper. The VBA macro itself is minimal, but the overall structure points to a malicious document designed to execute a secondary payload, likely the embedded EXE.
Heuristics 10
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Doc.Dropper.Agent-5478884-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-5478884-0
-
XOR-encoded strings (key 0x94) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0x94: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess�', 'CreateFileA�'
Disassembly
Attempted x86 opcode disassembly0000193A fff1 push ecx 0000193C e6fa out 0xfa, al 0000193E f1 int1 0000193F f8 clc 00001940 a7 cmpsd dword ptr [esi], dword ptr es:[edi] 00001941 a6 cmpsb byte ptr [esi], byte ptr es:[edi] 00001942 baf0f8f894 mov edx, 0x94f8f8f0 00001947 f7aec8eab0e0 imul dword ptr [esi - 0x1f4f1538] 0000194D f1 int1 0000194E f9 stc 0000194F e4ba in al, 0xba 00001951 f0 .byte 0xf0 00001952 fb sti 00001953 f7949494949494 not dword ptr [esp + edx*4 - 0x6b6b6b6c] 0000195A 94 xchg esp, eax 0000195B 94 xchg esp, eax 0000195C 94 xchg esp, eax 0000195D 94 xchg esp, eax 0000195E 94 xchg esp, eax 0000195F 94 xchg esp, eax 00001960 94 xchg esp, eax 00001961 94 xchg esp, eax 00001962 94 xchg esp, eax 00001963 94 xchg esp, eax 00001964 94 xchg esp, eax 00001965 94 xchg esp, eax 00001966 94 xchg esp, eax 00001967 94 xchg esp, eax 00001968 94 xchg esp, eax 00001969 94 xchg esp, eax 0000196A 94 xchg esp, eax 0000196B 94 xchg esp, eax 0000196C 94 xchg esp, eax 0000196D 94 xchg esp, eax 0000196E 94 xchg esp, eax 0000196F 94 xchg esp, eax 00001970 94 xchg esp, eax 00001971 94 xchg esp, eax 00001972 94 xchg esp, eax 00001973 94 xchg esp, eax 00001974 94 xchg esp, eax 00001975 94 xchg esp, eax 00001976 94 xchg esp, eax 00001977 94 xchg esp, eax 00001978 94 xchg esp, eax 00001979 2c98 sub al, 0x98 0000197B 6469eb1f941fe4 imul ebp, ebx, 0xe41f941f 00001982 8839 mov byte ptr [ecx], bh 00001984 1f pop ds 00001985 d49c aam 0x9c 00001987 1d172f85d4 sbb eax, 0xd4852f17 0000198C 94 xchg esp, eax 0000198D 1f pop ds 0000198E 27 daa 0000198F 2f das 00001990 85d4 test esp, edx 00001992 94 xchg esp, eax 00001993 97 xchg edi, eax 00001994 e2a8 loop 0x193e 00001996 1f pop ds 00001997 e2ec loop 0x1985 00001999 97 xchg edi, eax
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0000D606 e800000000 call 0xd60b 0000D60B 58 pop eax 0000D60C 83c008 add eax, 8 0000D60F f3ebff jmp 0xd611 0000D612 e083 loopne 0xd597 0000D614 c02850 shr byte ptr [eax], 0x50 0000D617 e800000000 call 0xd61c 0000D61C 5e pop esi 0000D61D b333 mov bl, 0x33 0000D61F 8d460e lea eax, [esi + 0xe] 0000D622 8d7631 lea esi, [esi + 0x31] 0000D625 2818 sub byte ptr [eax], bl 0000D627 f8 clc 0000D628 7300 jae 0xd62a 0000D62A c3 ret 0000D62B 8bfe mov edi, esi 0000D62D b9be010000 mov ecx, 0x1be 0000D632 0018 add byte ptr [eax], bl 0000D634 5a pop edx 0000D635 ac lodsb al, byte ptr [esi] 0000D636 fec8 dec al 0000D638 ebff jmp 0xd639 0000D63A e232 loop 0xd66e 0000D63C c1ebff shr ebx, 0xff 0000D63F f0 .byte 0xf0 0000D640 c0042403 rol byte ptr [esp], 3 0000D644 58 pop eax 0000D645 0400 add al, 0 0000D647 aa stosb byte ptr es:[edi], al 0000D648 ebff jmp 0xd649 0000D64A c9 leave 0000D64B 7fe8 jg 0xd635 0000D64D a4 movsb byte ptr es:[edi], byte ptr [esi] 0000D64E bebdbcbb13 mov esi, 0x13bbbcbd 0000D653 90 nop 0000D654 b878b6b5c4 mov eax, 0xc4b5b678 0000D659 8b939bf9acae mov edx, dword ptr [ebx - 0x51530665] 0000D65F ad lodsd eax, dword ptr [esi] 0000D660 ac lodsb al, byte ptr [esi] 0000D661 1c28 sbb al, 0x28 0000D663 0b .byte 0x0b 0000D664 a8d7 test al, 0xd7
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 60,807 bytes but its declared streams total only 23,307 bytes — 37,500 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
Attempted x86 opcode disassembly00000611 61 popal 00000612 61 popal 00000613 61 popal 00000614 61 popal 00000615 61 popal 00000616 61 popal 00000617 61 popal 00000618 61 popal 00000619 61 popal 0000061A 61 popal 0000061B 61 popal 0000061C 61 popal 0000061D 61 popal 0000061E 61 popal 0000061F 61 popal 00000620 61 popal 00000621 61 popal 00000622 61 popal 00000623 61 popal 00000624 61 popal 00000625 61 popal 00000626 61 popal 00000627 61 popal 00000628 61 popal 00000629 61 popal 0000062A 61 popal 0000062B 61 popal 0000062C 61 popal 0000062D 61 popal 0000062E 61 popal 0000062F 61 popal 00000630 61 popal 00000631 61 popal 00000632 61 popal 00000633 61 popal 00000634 61 popal 00000635 61 popal 00000636 61 popal 00000637 61 popal 00000638 61 popal 00000639 61 popal 0000063A 61 popal 0000063B 61 popal 0000063C 61 popal 0000063D 61 popal 0000063E 61 popal 0000063F 61 popal 00000640 61 popal 00000641 61 popal 00000642 61 popal 00000643 61 popal 00000644 61 popal 00000645 61 popal 00000646 61 popal 00000647 61 popal 00000648 61 popal 00000649 61 popal 0000064A 61 popal 0000064B 61 popal 0000064C 61 popal 0000064D 61 popal 0000064E 61 popal 0000064F 61 popal 00000650 61 popal 00000651 61 popal 00000652 61 popal 00000653 61 popal 00000654 61 popal 00000655 61 popal 00000656 61 popal 00000657 61 popal 00000658 61 popal 00000659 61 popal 0000065A 61 popal 0000065B 61 popal 0000065C 61 popal 0000065D 61 popal 0000065E 61 popal 0000065F 61 popal 00000660 61 popal 00000661 61 popal 00000662 61 popal 00000663 61 popal 00000664 61 popal 00000665 61 popal 00000666 61 popal 00000667 61 popal 00000668 61 popal 00000669 61 popal 0000066A 61 popal 0000066B 61 popal 0000066C 61 popal 0000066D 61 popal 0000066E 61 popal 0000066F 61 popal 00000670 61 popal
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 545 bytes |
SHA-256: a7dd048f93dee3ad2d206a754ed64d579a87c5acc96cbb88e1b8d42ff2c42bde |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Macro1() Attribute Macro1.VB_Description = "宏在 2000-12-4 由 Fool 录制" Attribute Macro1.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Macro1" ' ' Macro1 Macro ' 宏在 2000-12-4 由 Fool 录制 ' End Sub |
|||
embedded_office_00006e00.exe |
embedded-pe | Office MZ+PE at offset 0x6E00 | 32647 bytes |
SHA-256: dfd8ce0a27d070edd530b87b05ac0a86d8d8e3d71243828f1dea23a5b8613b25 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, GetProcAddress
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.