Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0afc2fa0e872ea4c…

MALICIOUS

Office (OLE)

865.5 KB Created: 2009-01-17 12:59:39 Authoring application: WPS Office ¸öÈ˰æ First seen: 2019-05-31
MD5: 60b70aaee393ae06691523259ad1c9ca SHA-1: e6176821031cc6c873e54ee11ddd552456cd814a SHA-256: 0afc2fa0e872ea4c05f7b44828b5289b65b84244cd7f9346393f617a078d49f0
660 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded PE executable, identified by ClamAV as Win.Trojan.Delf-1526. Heuristics indicate the presence of Metasploit shellcode and APIs commonly used for process injection and execution, such as WinExec, CreateProcess, and WriteProcessMemory. The document body appears to be a list of student scores, likely serving as a lure to conceal the malicious payload.

Heuristics 14

  • ClamAV: Win.Trojan.Delf-1526 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Delf-1526
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    x86 disassembly · validity: code (0.969) — 16/16 branch targets land on an instruction boundary (100% coherence)
    00066638  fc                cld
    00066639  e882000000        call 0x666c0
    0006663E  5f                pop edi
    0006663F  5e                pop esi
    00066640  5b                pop ebx
    00066641  8be5              mov esp, ebp
    00066643  5d                pop ebp
    00066644  c3                ret
    00066645  8d4000            lea eax, [eax]
    00066648  53                push ebx
    00066649  56                push esi
    0006664A  8bd8              mov ebx, eax
    0006664C  3b5324            cmp edx, dword ptr [ebx + 0x24]
    0006664F  7436              je 0x66687
    00066651  8bf2              mov esi, edx
    00066653  85f6              test esi, esi
    00066655  7518              jne 0x6666f
    00066657  33c0              xor eax, eax
    00066659  8a4318            mov al, byte ptr [ebx + 0x18]
    0006665C  8b0485f03c4a00    mov eax, dword ptr [eax*4 + 0x4a3cf0]
    00066663  50                push eax
    00066664  a134574a00        mov eax, dword ptr [0x4a5734]
    00066669  8b00              mov eax, dword ptr [eax]
    0006666B  ffd0              call eax
    0006666D  8bd0              mov edx, eax
    0006666F  895324            mov dword ptr [ebx + 0x24], edx
    00066672  c6434401          mov byte ptr [ebx + 0x44], 1
    00066676  8b4304            mov eax, dword ptr [ebx + 4]
    00066679  e8ba060000        call 0x66d38
    0006667E  85f6              test esi, esi
    00066680  7505              jne 0x66687
    00066682  33c0              xor eax, eax
    00066684  894324            mov dword ptr [ebx + 0x24], eax
    00066687  5e                pop esi
    00066688  5b                pop ebx
    00066689  c3                ret
    0006668A  8bc0              mov eax, eax
    0006668C  3b5028            cmp edx, dword ptr [eax + 0x28]
    0006668F  7413              je 0x666a4
    00066691  895028            mov dword ptr [eax + 0x28], edx
    00066694  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Metasploit bind_tcp shellcode critical SC_MSF_BIND
    Metasploit bind_tcp shellcode
    Disassembly
    x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)
    0008D2B1  fc                cld
    0008D2B2  e889000000        call 0x8d340
    0008D2B7  c3                ret
    0008D2B8  e96fe8f8ff        jmp 0x1bb2c
    0008D2BD  ebf0              jmp 0x8d2af
    0008D2BF  33c0              xor eax, eax
    0008D2C1  8945f0            mov dword ptr [ebp - 0x10], eax
    0008D2C4  8b45f0            mov eax, dword ptr [ebp - 0x10]
    0008D2C7  8be5              mov esp, ebp
    0008D2C9  5d                pop ebp
    0008D2CA  c20400            ret 4
    0008D2CD  8d4000            lea eax, [eax]
    0008D2D0  55                push ebp
    0008D2D1  8bec              mov ebp, esp
    0008D2D3  83c4f4            add esp, -0xc
    0008D2D6  53                push ebx
    0008D2D7  894df4            mov dword ptr [ebp - 0xc], ecx
    0008D2DA  8955f8            mov dword ptr [ebp - 8], edx
    0008D2DD  8945fc            mov dword ptr [ebp - 4], eax
    0008D2E0  83caff            or edx, 0xffffffff
    0008D2E3  8b45fc            mov eax, dword ptr [ebp - 4]
    0008D2E6  e825fcffff        call 0x8cf10
    0008D2EB  85c0              test eax, eax
    0008D2ED  7448              je 0x8d337
    0008D2EF  33c0              xor eax, eax
    0008D2F1  55                push ebp
    0008D2F2  68045b4700        push 0x475b04
    0008D2F7  64ff30            push dword ptr fs:[eax]
    0008D2FA  648920            mov dword ptr fs:[eax], esp
    0008D2FD  8b4d08            mov ecx, dword ptr [ebp + 8]
    0008D300  8b55f8            mov edx, dword ptr [ebp - 8]
    0008D303  8b45fc            mov eax, dword ptr [ebp - 4]
    0008D306  8b18              mov ebx, dword ptr [eax]
    0008D308  ff5304            call dword ptr [ebx + 4]
    0008D30B  8b45fc            mov eax, dword ptr [ebp - 4]
    0008D30E  8b4034            mov eax, dword ptr [eax + 0x34]
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 886,272 bytes but its declared streams total only 96,991 bytes — 789,281 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001842c.exe embedded-pe Office MZ+PE at offset 0x1842C 786900 bytes
SHA-256: 1d65eeb4a161451b4c1425355d3de56c78310d3153401e1181f9b62efc894ac5
Detection
ClamAV: Win.Trojan.Delf-1526
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_MSF_BIND, SC_STR_VIRTUALALLOC Static shellcode analysis recovered API/import strings: VirtualAlloc, LoadLibraryExA, GetProcAddress, ExitProcess, kernel32.dll, KERNEL32.DLL