Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 04593087da608dc7…

MALICIOUS

Office (OLE)

282.6 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2015-10-13
MD5: e29c4652c859b390bb166a908cf7ab50 SHA-1: c0b72ca7e37919c5dc79aa1af87c687cf4e794a5 SHA-256: 04593087da608dc7a8ba1af272c47f5a017cf41ce429a286ca7b621c985d1779
400 Risk Score

Heuristics 9

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x57) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x57: 'RegOpenKeyExA'
    Disassembly
    x86 disassembly · validity: uncertain (0.59) — 2/4 branch targets land on an instruction boundary (50% coherence)
    000035FA  0532301827        add eax, 0x27183032
000035FF  3239              xor bh, byte ptr [ecx]
00003601  1c32              sbb al, 0x32
00003603  2e122f            adc ch, byte ptr cs:[edi]
00003606  16                push ss
00003607  57                push edi
00003608  0532301332        add eax, 0x32133032
0000360D  3b32              cmp esi, dword ptr [edx]
0000360F  2332              and esi, dword ptr [edx]
00003611  1c32              sbb al, 0x32
00003613  2e16              push ss
00003615  57                push edi
00003616  053230143b        add eax, 0x3b143032
0000361B  382432            cmp byte ptr [edx + esi], ah
0000361E  1c32              sbb al, 0x32
00003620  2e57              push edi
00003622  0438              add al, 0x38
00003624  3123              xor dword ptr [ebx], esp
00003626  2036              and byte ptr [esi], dh
00003628  25320b1a3e        and eax, 0x3e1a0b32
0000362D  3425              xor al, 0x25
0000362F  382438            cmp byte ptr [eax + edi], ah
00003632  3123              xor dword ptr [ebx], esp
00003634  0b18              or ebx, dword ptr [eax]
00003636  3131              xor dword ptr [ecx], esi
00003638  3e3432            xor al, 0x32
0000363B  0b6666            or esp, dword ptr [esi + 0x66]
0000363E  7967              jns 0x36a7
00003640  0b07              or eax, dword ptr [edi]
00003642  3820              cmp byte ptr [eax], ah
00003644  322507383e39      xor ah, byte ptr [0x393e3807]
0000364A  230b              and ecx, dword ptr [ebx]
0000364C  0532243e3b        add eax, 0x3b3e2432
00003651  3e3239            xor bh, byte ptr ds:[ecx]
00003654  342e              xor al, 0x2e
00003656  57                push edi
00003657  0423              add al, 0x23
00003659  36                .byte 0x36
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.