Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10c17628f78f79cc…

MALICIOUS

Office (OLE)

176.6 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-09-23
MD5: 70286e6a77d827e77611980bd065f890 SHA-1: 6aeb74f5ff71d11de0b28d158f92b6a0853cae87 SHA-256: 10c17628f78f79ccfc2a63e0dea49518bb2b7956e70ddf953d1c92475adab247
302 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document that leverages the MSCOMCTL.Toolbar control to exploit CVE-2012-1856, enabling arbitrary code execution. It contains a large appended payload and references to VirtualAlloc and XOR-encoded strings, indicating the likely download and execution of a second-stage payload. The presence of a NOP sled further supports this.

Heuristics 8

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • ClamAV: Doc.Exploit.Agent-1388627 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.Agent-1388627
  • XOR-encoded strings (key 0x20) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x20: 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0001D182  7649              jbe 0x1d1cd
0001D184  52                push edx
0001D185  54                push esp
0001D186  55                push ebp
0001D187  41                inc ecx
0001D188  4c                dec esp
0001D189  61                popal
0001D18A  4c                dec esp
0001D18B  4c                dec esp
0001D18C  4f                dec edi
0001D18D  43                inc ebx
0001D18E  2020              and byte ptr [eax], ah
0001D190  06                push es
0001D191  216785            and dword ptr [edi - 0x7b], esp
0001D194  94                xchg esp, eax
0001D195  ad                lodsd eax, dword ptr [esi]
0001D196  8f84958c85a881    pop dword ptr [ebp + edx*4 - 0x7e577a74]
0001D19D  8e848c85a1e0e0    mov es, word ptr [esp + ecx*4 - 0x1f1f5e7b]
0001D1A4  b0e1              mov al, 0xe1
0001D1A6  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
0001D1A7  8594b394819294    test dword ptr [ebx + esi*4 - 0x6b6d7e6c], edx
0001D1AE  95                xchg ebp, eax
0001D1AF  90                nop
0001D1B0  a98e864f61        test eax, 0x614f868e
0001D1B5  206b65            and byte ptr [ebx + 0x65], ch
0001D1B8  726e              jb 0x1d228
0001D1BA  656c              insb byte ptr es:[edi], dx
0001D1BC  1312              adc edx, dword ptr [edx]
0001D1BE  0e                push cs
0001D1BF  44                inc esp
0001D1C0  4c                dec esp
0001D1C1  4c                dec esp
0001D1C2  2020              and byte ptr [eax], ah
0001D1C4  b122              mov cl, 0x22
0001D1C6  7550              jne 0x1d218
0001D1C8  44                inc esp
0001D1C9  41                inc ecx
0001D1CA  54                push esp
0001D1CB  45                inc ebp
0001D1CC  7749              ja 0x1d217
0001D1CE  4e                dec esi
0001D1CF  44                inc esp
0001D1D0  4f                dec edi
0001D1D1  57                push edi
0001D1D2  2060d7            and byte ptr [eax - 0x29], ah
0001D1D5  60                pushal
0001D1D6  250e01020c        and eax, 0xc02010e
0001D1DB  0537090e04        add eax, 0x40e0937
0001D1E0  0f                .byte 0x0f
0001D1E1  17                pop ss
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00002C50  90                nop
00002C51  90                nop
00002C52  90                nop
00002C53  90                nop
00002C54  90                nop
00002C55  90                nop
00002C56  90                nop
00002C57  90                nop
00002C58  90                nop
00002C59  90                nop
00002C5A  90                nop
00002C5B  90                nop
00002C5C  90                nop
00002C5D  90                nop
00002C5E  90                nop
00002C5F  90                nop
00002C60  90                nop
00002C61  90                nop
00002C62  90                nop
00002C63  90                nop
00002C64  90                nop
00002C65  90                nop
00002C66  90                nop
00002C67  90                nop
00002C68  0000              add byte ptr [eax], al
00002C6A  0000              add byte ptr [eax], al
00002C6C  0000              add byte ptr [eax], al
00002C6E  0000              add byte ptr [eax], al
00002C70  0000              add byte ptr [eax], al
00002C72  0000              add byte ptr [eax], al
00002C74  800000            add byte ptr [eax], 0
00002C77  800000            add byte ptr [eax], 0
00002C7A  008080008000      add byte ptr [eax + 0x800080], al
00002C80  0000              add byte ptr [eax], al
00002C82  800080            add byte ptr [eax], 0x80
00002C85  0080800000c0      add byte ptr [eax - 0x3fffff80], al
00002C8B  c0c000            rol al, 0
00002C8E  808080000000ff    add byte ptr [eax + 0x80], 0xff
00002C95  0000              add byte ptr [eax], al
00002C97  ff00              inc dword ptr [eax]
00002C99  0000              add byte ptr [eax], al
00002C9B  ff                .byte 0xff
00002C9C  ff00              inc dword ptr [eax]
00002C9E  ff00              inc dword ptr [eax]
00002CA0  0000              add byte ptr [eax], al
00002CA2  ff00              inc dword ptr [eax]
00002CA4  ff00              inc dword ptr [eax]
00002CA6  ff                .byte 0xff
00002CA7  ff00              inc dword ptr [eax]
00002CA9  00ff              add bh, bh
00002CAB  ff                .byte 0xff
00002CAC  ff00              inc dword ptr [eax]
00002CAE  ff                .byte 0xff
00002CAF  ff                .byte 0xff
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 180,800 bytes but its declared streams total only 20,824 bytes — 159,976 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.