Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 615083e0a304fa01…

MALICIOUS

Office (OLE)

184.9 KB Created: 2001-12-11 23:34:17 Authoring application: Microsoft PowerPoint First seen: 2017-10-28
MD5: 8a28eb48a56be3a6f24232319c9be8ec SHA-1: 65636f8d6438759a8aada8d09b4ec73ec67b6b89 SHA-256: 615083e0a304fa01fb02f22971915f95b31807430a3641f4168e6dc481d27f1c
284 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Phishing: Spearphishing Attachment

This PowerPoint document contains an embedded PE executable, identified as a likely payload. Heuristics indicate exploitation of a known PowerPoint vulnerability (CVE-2011-1269 / MS11-036) to execute this embedded binary. No VBA macros were extractable, but the presence of the executable and the RCE vulnerability points to a malicious document designed to drop and run a secondary stage.

Heuristics 9

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0002750C  90                nop
    0002750D  90                nop
    0002750E  90                nop
    0002750F  90                nop
    00027510  90                nop
    00027511  90                nop
    00027512  90                nop
    00027513  90                nop
    00027514  90                nop
    00027515  90                nop
    00027516  90                nop
    00027517  90                nop
    00027518  90                nop
    00027519  90                nop
    0002751A  90                nop
    0002751B  90                nop
    0002751C  90                nop
    0002751D  90                nop
    0002751E  90                nop
    0002751F  90                nop
    00027520  90                nop
    00027521  90                nop
    00027522  90                nop
    00027523  90                nop
    00027524  90                nop
    00027525  90                nop
    00027526  90                nop
    00027527  90                nop
    00027528  90                nop
    00027529  90                nop
    0002752A  90                nop
    0002752B  90                nop
    0002752C  90                nop
    0002752D  90                nop
    0002752E  90                nop
    0002752F  90                nop
    00027530  90                nop
    00027531  90                nop
    00027532  90                nop
    00027533  90                nop
    00027534  90                nop
    00027535  90                nop
    00027536  90                nop
    00027537  90                nop
    00027538  90                nop
    00027539  90                nop
    0002753A  90                nop
    0002753B  90                nop
    0002753C  90                nop
    0002753D  90                nop
    0002753E  90                nop
    0002753F  90                nop
    00027540  55                push ebp
    00027541  53                push ebx
    00027542  45                inc ebp
    00027543  52                push edx
    00027544  3332              xor esi, dword ptr [edx]
    00027546  2e646c            insb byte ptr es:[edi], dx
    00027549  6c                insb byte ptr es:[edi], dx
    0002754A  009090909090      add byte ptr [eax - 0x6f6f6f70], dl
    00027550  4d                dec ebp
    00027551  53                push ebx
    00027552  4f                dec edi
    00027553  2e646c            insb byte ptr es:[edi], dx
    00027556  6c                insb byte ptr es:[edi], dx
    00027557  00b843000000      add byte ptr [eax + 0x43], bh
    0002755D  0000              add byte ptr [eax], al
    0002755F  00c8              add al, cl
    00027561  43                inc ebx
    00027562  0000              add byte ptr [eax], al
    00027564  de4300            fiadd word ptr [ebx]
    00027567  00f2              add dl, dh
    00027569  43                inc ebx
    0002756A  0000              add byte ptr [eax], al
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X In document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
    • http://office.microsoft.comIn document text (OLE body)
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00023e00.exe embedded-pe Office MZ+PE at offset 0x23E00 42419 bytes
SHA-256: 23b71d35056ce52cc84c934f4823adcf4249a33ac820b012487f36390fe1b252
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_VIRTUALPROTECT, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: shlwapi.dll, VirtualProtect, LoadLibraryA, LoadLibraryW, GetProcAddress