Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e677420d7a8160c…

MALICIOUS

Office (OLE)

172.0 KB Created: 2011-04-04 06:50:00 Authoring application: Microsoft Office Word First seen: 2014-04-29
MD5: 96cf54e6d7e228a2c6418aba93d6bd49 SHA-1: 820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d SHA-256: 1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f
262 Risk Score

Heuristics 6

  • ClamAV: Win.Trojan.Agent-30008 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-30008
  • XOR-encoded strings (key 0x85) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x85: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'RegOpenKeyExA'
    Disassembly
    Attempted x86 opcode disassembly
    00017F98  ee                out dx, al
00017F99  e0f7              loopne 0x17f92
00017F9B  ebe0              jmp 0x17f7d
00017F9D  e9b6b7abe1        jmp 0xe1ad3758
00017FA2  e9e9000000        jmp 0x18090
00017FA7  00c2              add dl, al
00017FA9  e0f1              loopne 0x17f9c
00017FAB  d6                salc
00017FAC  fc                cld
00017FAD  f6f1              div cl
00017FAF  e0e8              loopne 0x17f99
00017FB1  c1ecf7            shr esp, 0xf7
00017FB4  e0e6              loopne 0x17f9c
00017FB6  f1                int1
00017FB7  eaf7fcc400c6f7    ljmp 0xf7c6:0xc4fcf7
00017FBE  e0e4              loopne 0x17fa4
00017FC0  f1                int1
00017FC1  e0c3              loopne 0x17f86
00017FC3  ec                in al, dx
00017FC4  e9e0a5a5c3        jmp 0xc3a725a9
00017FC9  e4ec              in al, 0xec
00017FCB  e9a4000000        jmp 0x18074
00017FD0  e9e0ebdae6        jmp 0xe6dc6bb5
00017FD5  eaf7e0a5e9e0eb    ljmp 0xebe0:0xe9a5e0f7
00017FDC  a5                movsd dword ptr es:[edi], dword ptr [esi]
00017FDD  b8a5a0e1a5        mov eax, 0xa5e1a0a5
00017FE2  8f00              pop dword ptr [eax]
00017FE4  e6bf              out 0xbf, al
00017FE6  d9                .byte 0xd9
00017FE7  d5f7              aad 0xf7
00017FE9  eae2f7e4e8a5c3    ljmp 0xc3a5:0xe8e4f7e2
00017FF0  ec                in al, dx
00017FF1  e9e0f6d9c6        jmp 0xc6db76d6
00017FF6  ea                .byte 0xea
00017FF7  e8                .byte 0xe8
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 176,144 bytes but its declared streams total only 22,169 bytes — 153,975 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.