Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f9020ae20aae5e0…

MALICIOUS

Office (OLE)

46.0 KB Created: 2013-04-21 07:04:03 Authoring application: Microsoft Excel First seen: 2015-10-03
MD5: c9016df3f7ba3db94de0bc8a799d6dc0 SHA-1: 16b59171413fe5e914739618e2ee555428b5bf05 SHA-256: 3f9020ae20aae5e03792a214cf6a3d5ef8e4b8145f1f87b19950bac1312213ae
342 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The file is a malicious Microsoft Excel document containing an embedded PE executable, identified as 'server.exe'. Heuristics indicate XOR encoding and the presence of a dropped executable, suggesting the document's primary purpose is to deliver a secondary payload. The embedded executable is detected by ClamAV as Win.Trojan.Agent, indicating a trojan or agent-like functionality.

Heuristics 6

  • ClamAV: Win.Trojan.Agent-36385 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36385
  • XOR-encoded strings (key 0xF6) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xF6: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'InternetOpenA', 'ShellExecuteA'
    Disassembly
    Attempted x86 opcode disassembly
    00006FAA  bdb3a4b8b3        mov ebp, 0xb3b8a4b3
00006FAF  bac5c4d8b2        mov edx, 0xb2d8c4c5
00006FB4  babaf6b7b2        mov edx, 0xb2b7f6ba
00006FB9  a0b7a6bfc5        mov al, byte ptr [0xc5bfa6b7]
00006FBE  c4                .byte 0xc4
00006FBF  d8929a9af6b1      fcom dword ptr [edx - 0x4e096566]
00006FC5  b2bf              mov dl, 0xbf
00006FC7  c5                .byte 0xc5
00006FC8  c4                .byte 0xc4
00006FC9  d8929a9af6bb      fcom dword ptr [edx - 0x44096566]
00006FCF  a5                movsd dword ptr es:[edi], dword ptr [esi]
00006FD0  a0b5a4a2d8        mov al, byte ptr [0xd8a2a4b5]
00006FD5  92                xchg edx, eax
00006FD6  9a9af6a5beb3ba    lcall 0xbab3, 0xbea5f69a
00006FDD  bac5c4d892        mov edx, 0x92d8c4c5
00006FE2  9a9af6a5bebaa1    lcall 0xa1ba, 0xbea5f69a
00006FE9  b7a6              mov bh, 0xa6
00006FEB  bfd8929a9a        mov edi, 0x9a9a92d8
00006FF0  f6a3a5b3a4c5      mul byte ptr [ebx - 0x3a5b4c5b]
00006FF6  c4                .byte 0xc4
00006FF7  d8929a9af6a1      fcom dword ptr [edx - 0x5e096566]
00006FFD  bfb8bfb8b3        mov edi, 0xb3b8bfb8
00007002  a2d8929a9a        mov byte ptr [0x9a9a92d8], al
00007007  f6                .byte 0xf6
00007008  a1                .byte 0xa1
00007009  a5                movsd dword ptr es:[edi], dword ptr [esi]
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00000c6e.exe embedded-pe Office MZ+PE at offset 0xC6E 43922 bytes
SHA-256: c7875f518bf99c9d8bac915b4c499b3d2b14916e16e60d58689d8aa2df244e20
Detection
ClamAV: Win.Trojan.Agent-36385
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: MBD002B6393/Ole10Native 29353 bytes
SHA-256: ced70728196268b3609dffe0f744efa76753ee74c152d604f4ba38e06ca62d4a
Detection
ClamAV: Win.Trojan.Agent-36383
Obfuscation or payload: likely
Carved artifact entropy is 7.58, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.