Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 244f3026b8e0ba67…

MALICIOUS

Office (OLE)

37.0 KB Created: 2014-08-03 19:21:00 Authoring application: Microsoft Office Word First seen: 2014-08-17
MD5: b711282aaac636795be74ac0ce93aea6 SHA-1: 2915b5defdbe295d288ac060b10f8e74fcb5713d SHA-256: 244f3026b8e0ba67882991acaa016d1a562094bf35c6666ebfece1da85bda297
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic auto-exec macro markers (Auto_Open) and references to WScript.Shell, indicating it is designed to execute commands. The presence of an embedded URL pointing to a .exe file suggests the document is a lure to download and run a second-stage payload. The large slack space in the OLE structure is also suspicious.

Heuristics 6

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 37,888 bytes but its declared streams total only 19,912 bytes — 17,976 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moviebernie1996.ru/u.exe In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)