Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42b8ef8ac574488c…

MALICIOUS

Office (OLE)

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2014-01-03
MD5: fa1ae228ece85febeb73c75f1f34fe2e SHA-1: 97b1336617cccd3e92be33148c89d085a7e58aaa SHA-256: 42b8ef8ac574488c2905149a63215d33f01e1c7990e839abdf71da90030905ce
380 Risk Score

Heuristics 8

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE related PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • XOR-encoded strings (key 0x10) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x10: 'GetProcAddress', 'RegOpenKeyExA'
    Disassembly hidden — these bytes score as data, not coherent x86 code (13/25 branch targets land on an instruction boundary (52% coherence)).
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API