Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 331b0ed975a1f0e7…

MALICIOUS

Office (OLE)

193.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2012-10-11
MD5: 422a44bacdc81c9db0352021a8fe0eb7 SHA-1: 7d96b7d6128fd5b8f9fb2ff345463102072d1a4d SHA-256: 331b0ed975a1f0e7d53890977d9b328723dce3ecf09d09a03dc99666085c5e3f
420 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1203 Exploitation for Client Execution T1055.012 Process Injection

The sample exhibits characteristics of a malicious executable, including a NOP sled, XOR-encoded strings, and the use of critical Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, CreateRemoteThread, LoadLibrary, and GetProcAddress. These indicators strongly suggest the execution of shellcode or a downloader designed to fetch and run a secondary payload. The OLE structure also shows an appended executable payload with high entropy.

Heuristics 10

  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x90) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x90: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0001754E  fb                sti
0001754F  f5                cmc
00017550  e2fe              loop 0x17550
00017552  f5                cmc
00017553  fc                cld
00017554  a3a2bef4fc        mov dword ptr [0xfcf4bea2], eax
00017559  fc                cld
0001755A  90                nop
0001755B  90                nop
0001755C  90                nop
0001755D  90                nop
0001755E  90                nop
0001755F  90                nop
00017560  dcff              fdiv st(7), st(0)
00017562  f1                int1
00017563  f4                hlt
00017564  dcf9              fdiv st(1), st(0)
00017566  f2e2f1            loop 0x1755a
00017569  e2e9              loop 0x17554
0001756B  d190909090d7      rcl dword ptr [eax - 0x286f6f70]
00017571  f5                cmc
00017572  e4c0              in al, 0xc0
00017574  e2ff              loop 0x17575
00017576  f3d1f4            sal esp, 1
00017579  f4                hlt
0001757A  e2f5              loop 0x17571
0001757C  e3e3              jecxz 0x17561
0001757E  90                nop
0001757F  90                nop
00017580  90                nop
00017581  90                nop
00017582  90                nop
00017583  90                nop
00017584  c6                .byte 0xc6
00017585  f9                stc
00017586  e2e4              loop 0x1756c
00017588  e5f1              in eax, 0xf1
0001758A  fc                cld
0001758B  d1fc              sar esp, 1
0001758D  fc                cld
0001758E  fff3              push ebx
00017590  90                nop
00017591  90                nop
00017592  90                nop
00017593  90                nop
00017594  c6                .byte 0xc6
00017595  f9                stc
00017596  e2e4              loop 0x1757c
00017598  e5f1              in eax, 0xf1
0001759A  fc                cld
0001759B  d6                salc
0001759C  e2f5              loop 0x17593
0001759E  f5                cmc
0001759F  90                nop
000175A0  90                nop
000175A1  90                nop
000175A2  d1d4              rcl esp, 1
000175A4  c6                .byte 0xc6
000175A5  d1c0              rol eax, 1
000175A7  d9a3a2bef4fc      fldenv [ebx - 0x30b415e]
000175AD  fc                cld
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00011E9B  90                nop
00011E9C  90                nop
00011E9D  90                nop
00011E9E  90                nop
00011E9F  90                nop
00011EA0  90                nop
00011EA1  90                nop
00011EA2  90                nop
00011EA3  90                nop
00011EA4  90                nop
00011EA5  90                nop
00011EA6  90                nop
00011EA7  90                nop
00011EA8  90                nop
00011EA9  90                nop
00011EAA  90                nop
00011EAB  90                nop
00011EAC  90                nop
00011EAD  90                nop
00011EAE  90                nop
00011EAF  90                nop
00011EB0  90                nop
00011EB1  90                nop
00011EB2  90                nop
00011EB3  90                nop
00011EB4  90                nop
00011EB5  90                nop
00011EB6  90                nop
00011EB7  90                nop
00011EB8  90                nop
00011EB9  90                nop
00011EBA  90                nop
00011EBB  90                nop
00011EBC  90                nop
00011EBD  90                nop
00011EBE  90                nop
00011EBF  91                xchg ecx, eax
00011EC0  90                nop
00011EC1  90                nop
00011EC2  9e                sahf
00011EC3  8f                .byte 0x8f
00011EC4  2a9e9024995d      sub bl, byte ptr [esi + 0x5d992490]
00011ECA  b128              mov cl, 0x28
00011ECC  91                xchg ecx, eax
00011ECD  dc5db1            fcomp qword ptr [ebp - 0x4f]
00011ED0  c4                .byte 0xc4
00011ED1  f8                clc
00011ED2  f9                stc
00011ED3  e3b0              jecxz 0x11e85
00011ED5  e0e2              loopne 0x11eb9
00011ED7  fff7              push edi
00011ED9  e2f1              loop 0x11ecc
00011EDB  fd                std
00011EDC  b0f3              mov al, 0xf3
00011EDE  f1                int1
00011EDF  fe                .byte 0xfe
00011EE0  fe                .byte 0xfe
00011EE1  ffe4              jmp esp
00011EE3  b0f2              mov al, 0xf2
00011EE5  f5                cmc
00011EE6  b0e2              mov al, 0xe2
00011EE8  e5fe              in eax, 0xfe
00011EEA  b0f9              mov al, 0xf9
00011EEC  fe                .byte 0xfe
00011EED  b0d4              mov al, 0xd4
00011EEF  dfc3              ffreep st(3)
00011EF1  b0fd              mov al, 0xfd
00011EF3  fff4              push esp
00011EF5  f5                cmc
00011EF6  be9d9d9ab4        mov esi, 0xb49a9d9d
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 197,634 bytes but its declared streams total only 21,308 bytes — 176,326 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.