Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0e161463a1c46604…

MALICIOUS

Office (OLE)

74.1 KB Created: 2004-04-17 23:56:00 Authoring application: Microsoft Word 9.0 First seen: 2020-05-25
MD5: ddca573742c09abbec75ec69b9266524 SHA-1: 0ce06b61d980e46f4d26afdb8e6da5c064986eb0 SHA-256: 0e161463a1c466045930af75a59a88fbfdfb29c8fa95526ff7c04ebb8381050c
548 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is a Microsoft Word document that contains an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. It exploits CVE-2008-2244, a known vulnerability in Microsoft Word's record-parsing mechanism, to achieve execution of the embedded payload. The embedded PE file is likely a second-stage downloader or dropper, indicated by the presence of API calls such as CreateProcess, WriteProcessMemory, and CreateRemoteThread.

Heuristics 13

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x94) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x94: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA'
    Disassembly
    Attempted x86 opcode disassembly
    00001571  fff1              push ecx
00001573  e6fa              out 0xfa, al
00001575  f1                int1
00001576  f8                clc
00001577  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
00001578  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
00001579  baf0f8f894        mov edx, 0x94f8f8f0
0000157E  f7aec8eab0e0      imul dword ptr [esi - 0x1f4f1538]
00001584  f1                int1
00001585  f9                stc
00001586  e4ba              in al, 0xba
00001588  f0                .byte 0xf0
00001589  fb                sti
0000158A  f7949494949494    not dword ptr [esp + edx*4 - 0x6b6b6b6c]
00001591  94                xchg esp, eax
00001592  94                xchg esp, eax
00001593  94                xchg esp, eax
00001594  94                xchg esp, eax
00001595  94                xchg esp, eax
00001596  94                xchg esp, eax
00001597  94                xchg esp, eax
00001598  94                xchg esp, eax
00001599  94                xchg esp, eax
0000159A  94                xchg esp, eax
0000159B  94                xchg esp, eax
0000159C  94                xchg esp, eax
0000159D  94                xchg esp, eax
0000159E  94                xchg esp, eax
0000159F  94                xchg esp, eax
000015A0  94                xchg esp, eax
000015A1  94                xchg esp, eax
000015A2  94                xchg esp, eax
000015A3  94                xchg esp, eax
000015A4  94                xchg esp, eax
000015A5  94                xchg esp, eax
000015A6  94                xchg esp, eax
000015A7  94                xchg esp, eax
000015A8  94                xchg esp, eax
000015A9  94                xchg esp, eax
000015AA  94                xchg esp, eax
000015AB  94                xchg esp, eax
000015AC  f0                .byte 0xf0
000015AD  1f                pop ds
000015AE  a194949494        mov eax, dword ptr [0x94949494]
000015B3  39d4              cmp esp, edx
000015B5  e093              loopne 0x154a
000015B7  dc1f              fcomp qword ptr [edi]
000015B9  44                inc esp
000015BA  1f                pop ds
000015BB  94                xchg esp, eax
000015BC  7f62              jg 0x1620
000015BE  1f                pop ds
000015BF  d6                salc
000015C0  90                nop
000015C1  b194              mov cl, 0x94
000015C3  94                xchg esp, eax
000015C4  6b6bf215          imul ebp, dword ptr [ebx - 0xe], 0x15
000015C8  ac                lodsb al, byte ptr [esi]
000015C9  d9ce              fxch st(6)
000015CB  e198              loope 0x1565
000015CD  1f                pop ds
000015CE  dc                .byte 0xdc
000015CF  a897              test al, 0x97
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 75,870 bytes but its declared streams total only 16,523 bytes — 59,347 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 357 bytes
SHA-256: 45a4b3651762a7c760540d16489d504e5ad9462cf46675ae9168748a05b0f967
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
embedded_office_00005800.exe embedded-pe Office MZ+PE at offset 0x5800 53342 bytes
SHA-256: 40d784e02782ecbe82bff6869f85ccb0463fb99d5355ef2d6435c1fec6d4ed79

Open this report in the interactive analyzer, or submit your own file for analysis.