Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 52c907f01c77c861…

MALICIOUS

Office (OLE)

512.0 KB Created: 2007-03-13 00:36:00 Authoring application: Microsoft Office Word First seen: 2015-09-30
MD5: 85deeb8dbc4827d05d77fde1181b7570 SHA-1: 975658f19888d1d08788d221f2f7f3aca4c8b90e SHA-256: 52c907f01c77c861c74c61ed0948983363f84762bfb62ade5c7a3390679ac669
142 Risk Score

Malware Insights

The sample is an OLE document with significant slack space and XOR-encoded strings, suggesting obfuscation of malicious content. While the document body appears to be benign training material in Chinese, the presence of embedded URLs and the SC_GETPC_CALL heuristic indicate potential malicious activity. The SC_XOR_ENCODED heuristic is particularly concerning, as it often signifies packed or obfuscated malicious code.

Heuristics 4

  • XOR-encoded strings (key 0x55) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x55: 'kernel32.dll', 'kernel32.dll', 'comctl32.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryW'
    Disassembly
    Attempted x86 opcode disassembly
    00028D14  3e3027            xor byte ptr ds:[edi], ah
    00028D17  3b30              cmp esi, dword ptr [eax]
    00028D19  396667            cmp dword ptr [esi + 0x67], esp
    00028D1C  7b31              jnp 0x28d4f
    00028D1E  3939              cmp dword ptr [ecx], edi
    00028D20  0000              add byte ptr [eax], al
    00028D22  0000              add byte ptr [eax], al
    00028D24  55                push ebp
    00028D25  8bec              mov ebp, esp
    00028D27  83c4f8            add esp, -8
    00028D2A  53                push ebx
    00028D2B  33d2              xor edx, edx
    00028D2D  8955f8            mov dword ptr [ebp - 8], edx
    00028D30  8945fc            mov dword ptr [ebp - 4], eax
    00028D33  8b45fc            mov eax, dword ptr [ebp - 4]
    00028D36  e8f938f7ff        call 0xfff9c634
    00028D3B  33c0              xor eax, eax
    00028D3D  55                push ebp
    00028D3E  6880194900        push 0x491980
    00028D43  64ff30            push dword ptr fs:[eax]
    00028D46  648920            mov dword ptr fs:[eax], esp
    00028D49  8d55f8            lea edx, [ebp - 8]
    00028D4C  8b45fc            mov eax, dword ptr [ebp - 4]
    00028D4F  e8e0ceffff        call 0x25c34
    00028D54  8b45f8            mov eax, dword ptr [ebp - 8]
    00028D57  50                push eax
    00028D58  e81bffffff        call 0x28c78
    00028D5D  5a                pop edx
    00028D5E  e855d3ffff        call 0x260b8
    00028D63  8bd8              mov ebx, eax
    00028D65  33c0              xor eax, eax
    00028D67  5a                pop edx
    00028D68  59                pop ecx
    00028D69  59                pop ecx
    00028D6A  648910            mov dword ptr fs:[eax], edx
    00028D6D  6887194900        push 0x491987
    00028D72  8d                .byte 0x8d
    00028D73  45                inc ebp
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    000355BC  e800000000        call 0x355c1
    000355C1  58                pop eax
    000355C2  2500f0ffff        and eax, 0xfffff000
    000355C7  e800000000        call 0x355cc
    000355CC  0000              add byte ptr [eax], al
    000355CE  0000              add byte ptr [eax], al
    000355D0  ff                .byte 0xff
    000355D1  ff                .byte 0xff
    000355D2  ff                .byte 0xff
    000355D3  ff0a              dec dword ptr [edx]
    000355D5  0000              add byte ptr [eax], al
    000355D7  0019              add byte ptr [ecx], bl
    000355D9  3127              xor dword ptr [edi], esp
    000355DB  193a              sbb dword ptr [edx], edi
    000355DD  3431              xor al, 0x31
    000355DF  1139              adc dword ptr [ecx], edi
    000355E1  3900              cmp dword ptr [eax], eax
    000355E3  00ff              add bh, bh
    000355E5  ff                .byte 0xff
    000355E6  ff                .byte 0xff
    000355E7  ff0f              dec dword ptr [edi]
    000355E9  0000              add byte ptr [eax], al
    000355EB  0019              add byte ptr [ecx], bl
    000355ED  3127              xor dword ptr [edi], esp
    000355EF  1230              adc dh, byte ptr [eax]
    000355F1  2111              and dword ptr [ecx], edx
    000355F3  3939              cmp dword ptr [ecx], edi
    000355F5  1d343b3139        sbb eax, 0x39313b34
    000355FA  3000              xor byte ptr [eax], al
    000355FC  ff                .byte 0xff
    000355FD  ff                .byte 0xff
    000355FE  ff                .byte 0xff
    000355FF  ff07              inc dword ptr [edi]
    00035601  0000              add byte ptr [eax], al
    00035603  001b              add byte ptr [ebx], bl
    00035605  2116              and dword ptr [esi], edx
    00035607  393a              cmp dword ptr [edx], edi
    00035609  263000            xor byte ptr es:[eax], al
    0003560C  ff                .byte 0xff
    0003560D  ff                .byte 0xff
    0003560E  ff                .byte 0xff
    0003560F  ff13              call dword ptr [ebx]
    00035611  0000              add byte ptr [eax], al
    00035613  001b              add byte ptr [ebx], bl
    00035615  2113              and dword ptr [ebx], edx
    00035617  27                daa
    00035618  3030              xor byte ptr [eax], dh
    0003561A  03                .byte 0x03
    0003561B  3c                .byte 0x3c
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 524,288 bytes but its declared streams total only 32,579 bytes — 491,709 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.url.com/ In document text (OLE body)