Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2673c67a118fbd6a…

MALICIOUS

Office (OLE)

128.5 KB First seen: 2017-10-10
MD5: 67e7c1231f79163e065ea5ca73a1f0e2 SHA-1: 60b7c2a94838d661f0220dde53e615510d4f1381 SHA-256: 2673c67a118fbd6aa4734623cfa4f3dd9815e803ec97622f99fb61919ad4bee6
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a malicious PowerPoint document that contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely a shellcode payload designed to be loaded into memory. The embedded executable is identified as a critical finding, and the exploit CVE-2011-1269 / MS11-036 family further supports its malicious nature.

Heuristics 6

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In document text (OLE body)
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://ocsp.verisign.com0In document text (OLE body)
    • http://sc.symcd.com0&In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://crl.verisign.com/pca3.crl0In document text (OLE body)
    • https://www.verisign.com/cps0In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif04In document text (OLE body)
    • http://www.symauth.com/cps0(In document text (OLE body)
    • http://www.symauth.com/rpa04In document text (OLE body)
    • http://crl.verisign.com/pca3-g5.crl0In document text (OLE body)
    • https://d.symcb.com/cps0%In document text (OLE body)
    • https://d.symcb.com/rpa0+In document text (OLE body)
    • http://sc.symcb.com/sc.crl0In document text (OLE body)
    • http://sc.symcb.com/sc.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001d000.exe embedded-pe Office MZ+PE at offset 0x1D000 12800 bytes
SHA-256: 5b72d5a065d91a46d833d0b91de7bc8c69a6e8da9f89d2ea606ceb03af4cad3a