Office (OLE) malware analysis — malicious · 11540adf127ee27b

MALICIOUS

Office (OLE)

150.0 KB Created: 2009-02-07 09:12:00 Authoring application: Microsoft Office Word First seen: 2015-09-19

MD5: 3a908e359109b55be690bd1089706640 SHA-1: 61424081cfa392444a281667f966b78372a8840f SHA-256: 11540adf127ee27b29aa47eac6f72a3b3e0df1a366dfaeaf89157b5a2014e4f8

460 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1055 Process Injection T1059 Command and Scripting Interpreter T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample exhibits critical heuristics related to process injection (WriteProcessMemory, CreateRemoteThread) and suspicious command execution (cmd.exe with execution flag). It also contains an embedded PE executable and references to LoadLibrary and GetProcAddress, indicating it likely attempts to load and execute a secondary payload. The document body contains obfuscated strings that appear to construct a command line for executing a file, likely the embedded executable, and a path to a local document.

Heuristics 10

ClamAV: Win.Trojan.Agent-561556 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-561556
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API

XOR-encoded strings (key 0x56) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x56: 'KERNEL32.DLL'

Disassembly

Attempted x86 opcode disassembly

0000A167  1d13041813        sbb eax, 0x13180413
0000A16C  1a6564            sbb ah, byte ptr [ebp + 0x64]
0000A16F  7812              js 0xa183
0000A171  1a1a              sbb bl, byte ptr [edx]
0000A173  56                push esi
0000A174  dd91edc6c6c6      fst qword ptr [ecx - 0x39393913]
0000A17A  c6                .byte 0xc6
0000A17B  dd11              fst qword ptr [ecx]
0000A17D  a2df55edc6        mov byte ptr [0xc6ed55df], al
0000A182  c6c6c6            mov dh, 0xc6
0000A185  dd11              fst qword ptr [ecx]
0000A187  ae                scasb al, byte ptr es:[edi]
0000A188  df5537            fist word ptr [ebp + 0x37]
0000A18B  bd3b093ed8        mov ebp, 0xd83e093b
0000A190  1858ba            sbb byte ptr [eax - 0x46], bl
0000A193  d9513e            fst dword ptr [ecx + 0x3e]
0000A196  fc                cld
0000A197  aa                stosb byte ptr es:[edi], al
0000A198  5b                pop ebx
0000A199  2ad9              sub bl, cl
0000A19B  11523e            adc dword ptr [edx + 0x3e], edx
0000A19E  288eb425d911      sub byte ptr [esi + 0x11d925b4], cl
0000A1A4  5e                pop esi
0000A1A5  ddbedda13c55      fnstsw word ptr [esi + 0x553ca1dd]
0000A1AB  0fbe5256          movsx edx, byte ptr [edx + 0x56]
0000A1AF  56                push esi
0000A1B0  56                push esi
0000A1B1  b4af              mov ah, 0xaf
0000A1B3  bde90700dd        mov ebp, 0xdd0007e9
0000A1B8  236add            and ebp, dword ptr [edx - 0x23]
0000A1BB  22782e            and bh, byte ptr [eax + 0x2e]
0000A1BE  55                push ebp
0000A1BF  a300dd2076        mov dword ptr [0x7620dd00], eax
0000A1C4  55                push ebp
0000A1C5  a3                .byte 0xa3
0000A1C6  65                .byte 0x65

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Embedded PE executable high OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.