Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3111da8f6a8e6148…

MALICIOUS

Office (OLE)

228.5 KB Created: 2009-02-12 15:50:00 Authoring application: Microsoft Office Word First seen: 2015-09-29
MD5: a22f1b82c57b9e564142b18bd50ce370 SHA-1: 826e07083eb6db9fb4f2473789d7c01f86165485 SHA-256: 3111da8f6a8e614837f4511285e8ce70b86486a1503290e1f048156512065847
522 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample contains an embedded PE executable and references to Windows APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, indicating it attempts to execute code. The XOR-encoded strings and embedded executable suggest obfuscation and a multi-stage attack. The embedded URLs are likely used to download additional malicious components.

Heuristics 11

  • ClamAV: Win.Malware.Barys-9946903-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Barys-9946903-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0xC5) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC5: 'RegOpenKeyExA', 'ShellExecuteA'
    Disassembly
    Attempted x86 opcode disassembly
    0000D740  97                xchg edi, eax
    0000D741  a0a28ab5a0        mov al, byte ptr [0xa0b58aa2]
    0000D746  ab                stosd dword ptr es:[edi], eax
    0000D747  8ea0bc80bd84      mov fs, word ptr [eax - 0x7b427f44]
    0000D74D  0084819384958c    add byte ptr [ecx + eax*4 - 0x736a7b6d], al
    0000D754  f6f7              div bh
    0000D756  eba1              jmp 0xd6f9
    0000D758  a9a90000b7        test eax, 0xb70000a9
    0000D75D  0096ada0a9a9      add byte ptr [esi - 0x56565f53], dl
    0000D763  80bda0a6b0b1a0    cmp byte ptr [ebp - 0x4e4f5960], 0xa0
    0000D76A  8400              test byte ptr [eax], al
    0000D76C  51                push ecx
    0000D76D  0096b1b796b1      add byte ptr [esi - 0x4e69484f], dl
    0000D773  b78c              mov bh, 0x8c
    0000D775  8400              test byte ptr [eax], al
    0000D777  00968d808989      add byte ptr [esi - 0x76767f73], dl
    0000D77D  f6f7              div bh
    0000D77F  eba1              jmp 0xd722
    0000D781  a9a900868a        test eax, 0x8a8600a9
    0000D786  88869189f6f7      mov byte ptr [esi - 0x809766f], al
    0000D78C  eba1              jmp 0xd72f
    0000D78E  a9a90000de        test eax, 0xde0000a9
    0000D793  0095a4b1ad83      add byte ptr [ebp - 0x7c524e5c], dl
    0000D799  ac                lodsb al, byte ptr [esi]
    0000D79A  a9a080bdac        test eax, 0xacbd80a0
    0000D79F  b6                .byte 0xb6
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://banana.boolker.com/xin87842647df/lin.asp+http://banana.boolker.com/838483dfotp/lin.asp+http://green.boolker.com/po23924898df/lin.asp In document text (OLE body)
    • http://banana.boolker.com/xin09923929mxd/lin.asp+http://green.boolker.com/po9819219mxd/lin.aspIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00001200.exe embedded-pe Office MZ+PE at offset 0x1200 229376 bytes
SHA-256: c6e9f764a9274d8e8a26ae2ba97a18d40b9d13feb3d346a34d958dc12bdead79
Detection
ClamAV: Win.Malware.Barys-9946903-0
Obfuscation or payload: unlikely