Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c94d6c71c10a9e7…

MALICIOUS

Office (OLE)

214.1 KB Created: 2010-08-22 10:37:00 Authoring application: Microsoft Office Word First seen: 2014-04-29
MD5: c024e159a96f3292915b257070fc3325 SHA-1: c18478517db77d34dfe4f42fd04688f23d04b60a SHA-256: 5c94d6c71c10a9e7ad382cf57b5df56ed695d8b2db948e0dcec52d8e6491c6b0
182 Risk Score

Heuristics 5

  • ClamAV: Legacy.Trojan.Agent-36793 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-36793
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00007D06  e800000000        call 0x7d0b
00007D0B  58                pop eax
00007D0C  ffb037590000      push dword ptr [eax + 0x5937]
00007D12  8b80275d0000      mov eax, dword ptr [eax + 0x5d27]
00007D18  ffe0              jmp eax
00007D1A  e800000000        call 0x7d1f
00007D1F  58                pop eax
00007D20  8b80175d0000      mov eax, dword ptr [eax + 0x5d17]
00007D26  ffe0              jmp eax
00007D28  90                nop
00007D29  90                nop
00007D2A  55                push ebp
00007D2B  89e5              mov ebp, esp
00007D2D  53                push ebx
00007D2E  81ec94000000      sub esp, 0x94
00007D34  e800000000        call 0x7d39
00007D39  5b                pop ebx
00007D3A  837d0800          cmp dword ptr [ebp + 8], 0
00007D3E  0f94c0            sete al
00007D41  0fb6c0            movzx eax, al
00007D44  85c0              test eax, eax
00007D46  742a              je 0x7d72
00007D48  8d8324510000      lea eax, [ebx + 0x5124]
00007D4E  8944240c          mov dword ptr [esp + 0xc], eax
00007D52  c74424086b000000  mov dword ptr [esp + 8], 0x6b
00007D5A  8d8333510000      lea eax, [ebx + 0x5133]
00007D60  89442404          mov dword ptr [esp + 4], eax
00007D64  8d                .byte 0x8d
00007D65  83                .byte 0x83
  • PHP webshell / backdoor source high WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 219,246 bytes but its declared streams total only 22,878 bytes — 196,368 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://msdn.microsoft.com/Forums/en-us/newthreads/?category=usingforums&forum=announceIn document text (OLE body)
    • http://msdn.microsoft.com/Forums/en-us/library/In document text (OLE body)
    • http://www.apple.com/DTDs/PropertyList-1.0.dtdIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.