Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2206af0b844787ad…

MALICIOUS

Office (OLE)

928.0 KB Created: 2018-05-03 15:45:32 Authoring application: Microsoft Excel First seen: 2019-05-31
MD5: 8eb66bac19e8de03b8cc705b48c00f3f SHA-1: 8d8e241a43599963004c3e592b37064431795acb SHA-256: 2206af0b844787adb940bda5d39d2576f92ca946ecfec892912c155feac87435
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is an Office document containing an embedded OLE package that drops a PE executable. The package is flagged as a download-and-execute script, indicating it likely fetches and runs a second-stage payload. The presence of ShellExecute and LoadLibrary API references further supports the execution of external code.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00003B91  90                nop
    00003B92  90                nop
    00003B93  90                nop
    00003B94  90                nop
    00003B95  90                nop
    00003B96  90                nop
    00003B97  90                nop
    00003B98  90                nop
    00003B99  90                nop
    00003B9A  90                nop
    00003B9B  90                nop
    00003B9C  90                nop
    00003B9D  90                nop
    00003B9E  90                nop
    00003B9F  90                nop
    00003BA0  90                nop
    00003BA1  90                nop
    00003BA2  90                nop
    00003BA3  90                nop
    00003BA4  90                nop
    00003BA5  90                nop
    00003BA6  48                dec eax
    00003BA7  ff25d90e0600      jmp dword ptr [0x60ed9]
    00003BAD  90                nop
    00003BAE  90                nop
    00003BAF  90                nop
    00003BB0  90                nop
    00003BB1  90                nop
    00003BB2  90                nop
    00003BB3  90                nop
    00003BB4  90                nop
    00003BB5  90                nop
    00003BB6  48                dec eax
    00003BB7  83ec28            sub esp, 0x28
    00003BBA  8d4101            lea eax, [ecx + 1]
    00003BBD  3bc1              cmp eax, ecx
    00003BBF  0f8241930300      jb 0x3cf06
    00003BC5  48                dec eax
    00003BC6  c1e002            shl eax, 2
    00003BC9  b9ffffffff        mov ecx, 0xffffffff
    00003BCE  48                dec eax
    00003BCF  3bc1              cmp eax, ecx
    00003BD1  0f872f930300      ja 0x3cf06
    00003BD7  8d480c            lea ecx, [eax + 0xc]
    00003BDA  3bc8              cmp ecx, eax
    00003BDC  0f8224930300      jb 0x3cf06
    00003BE2  8bd1              mov edx, ecx
    00003BE4  b940000000        mov ecx, 0x40
    00003BE9  ff15df060600      call dword ptr [0x606df]
    00003BEF  48                dec eax
    00003BF0  85                .byte 0x85
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/SMI/2005/WindowsSettings Embedded OLE package script

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002866.exe embedded-pe Office MZ+PE at offset 0x2866 939930 bytes
SHA-256: 0b25e92498efff6f409b39fda5803f4cc22a450b2128adf1368db7464373a7ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_SHELLEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryW, LoadLibraryExA, GetProcAddress
ole10native_00.bin ole-package OLE Ole10Native stream: MBD000A5A77/Ole10Native 918804 bytes
SHA-256: cd5b7f5a389012f4a6982c55d8e1688d16d223dd95c6c3a82b14d16eff38ab05
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_SHELLEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryW, LoadLibraryExA, GetProcAddress