Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60a72c61bc6002ad…

MALICIOUS

Office (OLE)

198.0 KB Created: 2006-05-06 03:56:44 Authoring application: Microsoft Office PowerPoint First seen: 2015-09-20
MD5: 3bf77d848de8df4a0b50eb645fd002d0 SHA-1: 33f3d1ba8231513c2e8b832757984c1f21dfee07 SHA-256: 60a72c61bc6002ad2b662fe7bd3440aba4845e19a90b1a0f9110cf96d47eac87
580 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

This PowerPoint file contains an embedded PE executable, identified by ClamAV as Win.Trojan.Inject-352. Heuristics indicate the use of process injection APIs (WriteProcessMemory, CreateRemoteThread) and execution APIs (WinExec, CreateProcess), strongly suggesting the embedded executable is a payload designed to compromise the system. The document body, while appearing to be a sports schedule, is likely a lure to disguise the malicious payload.

Heuristics 12

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Win.Trojan.Inject-352 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Inject-352
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    000093B7  e800000000        call 0x93bc
000093BC  58                pop eax
000093BD  83eb10            sub ebx, 0x10
000093C0  e800000000        call 0x93c5
000093C5  58                pop eax
000093C6  ebc8              jmp 0x9390
000093C8  cb                retf
000093C9  8d5e9c            lea ebx, [esi - 0x64]
000093CC  2e68e64374a6      push 0xa67443e6
000093D2  5f                pop edi
000093D3  81efe63234a6      sub edi, 0xa63432e6
000093D9  57                push edi
000093DA  e812000000        call 0x93f1
000093DF  61                popal
000093E0  42                inc edx
000093E1  1066b6            adc byte ptr [esi - 0x4a], ah
000093E4  157d3b35d2        adc eax, 0xd2353b7d
000093E9  65e3d3            jecxz 0x93bf
000093EC  ed                in eax, dx
000093ED  e0df              loopne 0x93ce
000093EF  e91c5859ff        jmp 0xff59ec10
000093F4  e1be              loope 0x93b4
000093F6  60                pushal
000093F7  4c                dec esp
000093F8  3d0e950623        cmp eax, 0x2306950e
000093FD  63acd60d3f3fc6    arpl word ptr [esi + edx*8 - 0x39c0c0f3], bp
00009404  18e6              sbb dh, ah
00009406  af                scasd eax, dword ptr es:[edi]
00009407  ef                out dx, eax
00009408  44                inc esp
00009409  6ba2b21b80492e    imul esp, dword ptr [edx + 0x49801bb2], 0x2e
00009410  b2df              mov dl, 0xdf
00009412  87df              xchg edi, ebx
00009414  94                xchg esp, eax
00009415  4a                dec edx
00009416  27                daa
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000911c.exe embedded-pe Office MZ+PE at offset 0x911C 165604 bytes
SHA-256: 08af19d16a89d8858b519245c259d083a7037bdbf81c1b00ba6facd83086dc9e
Detection
ClamAV: Win.Trojan.Inject-352
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_STR_CREATEPROCESS, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: CreateProcessA, ReadProcessMemory, OpenProcess, VirtualProtect, VirtualProtectEx, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.