Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 fdf320dcf406380f…

MALICIOUS

Office (OLE) / .DOC

121.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: ad3f813c5420b00ad66d1a1b22f81f68 SHA-1: 61184c0b38e6d4e8920ee7790ac5aca8346dd307 SHA-256: fdf320dcf406380f7bc24582f0f4875ebded569f4230e6a0bbbc3ab6a2976caf
364 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

This OLE document contains a critical vulnerability (CVE-2008-2244) that allows for the embedding of a PE executable. The presence of a NOP sled, WinExec API reference, and XOR-encoded strings further indicate malicious intent. The embedded executable is likely a second-stage payload, and the document's structure suggests it's designed to exploit this vulnerability upon opening.

Heuristics 8

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • XOR-encoded strings (key 0xC1) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xC1: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryExA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess', 'ExitProcess'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Exploit.13525-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.13525-1
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 124,416 bytes but its declared streams total only 16,486 bytes — 107,930 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004c00.exe
a6eb15c351bd735ba70751536df87c1b013b6fb6b1585c0cebb5c7fd3b0fb0e8		 embedded-pe Office MZ+PE at offset 0x4C00 104960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.