Office (OLE) / .BIN malware analysis — malicious · 069b5ee7c6de661b

MALICIOUS

Office (OLE) / .BIN

487.3 KB Created: 2002-07-13 19:41:33 Authoring application: Microsoft Excel First seen: 2020-02-04

MD5: dd61d324153688ad4baef1088e9eb868 SHA-1: 099bd826a91e72f98c757d1eec32e739a47f568a SHA-256: 069b5ee7c6de661bcd44f975969774a4d1aa975ffc74be464dc394e0cd49405f

740 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1055 Process Injection T1203 Exploitation for Client Execution

The sample is an OLE document containing a large slack space anomaly and an embedded PE executable. Heuristics indicate the use of APIs such as URLDownloadToFile, WriteProcessMemory, and CreateRemoteThread, which are commonly used by malware to download and execute secondary payloads. The embedded executable and the API calls strongly suggest this file acts as a dropper.

Heuristics 16

ClamAV: Win.Malware.Ausiv-9940816-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Malware.Ausiv-9940816-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x0C bytes found

Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'or' is 64% of instructions — a sled or padding/filler run, not program logic).
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 499,044 bytes but its declared streams total only 16,305 bytes — 482,739 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2079 bytes
SHA-256: `74729b2c819fa2a6d02dbf245c60c6a9183b05620ad7cce9473868b93d495a28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub ThisMacro() ' Dummy macro in ThisWorkbook Dim x x = "Dummy macro in ThisWorkbook" End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{96F8CBB9-96DB-11D6-ACFB-90F6FAB8FE1D}{96F8CBB2-96DB-11D6-ACFB-90F6FAB8FE1D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module1" Sub ClassMacro() ' Dummy macro in Module1 Dim x x = "Dummy macro in Module1" End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False
`embedded_office_00006001.exe`	embedded-pe	Office MZ+PE at offset 0x6001	474467 bytes
SHA-256: `0929f09ca36f3db033115dfab6d363f2f95a7b54cce098195c6a5df8de9cc85e`
Detection ClamAV: Win.Malware.Ausiv-9940816-0 Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: SC_STR_CREATEPROCESS, heap spray 0x0C, SC_STR_SHELLEXEC Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, LoadLibraryA, GetProcAddress, CreateProcessA, CreateRemoteThread Static shellcode analysis recovered command string(s): CmdLine->%s"

Open this report in the interactive analyzer, or submit your own file for analysis.