Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6948f110047b2838…

MALICIOUS

Office (OLE)

111.5 KB Created: 2012-05-04 15:39:00 Authoring application: Microsoft Office Word First seen: 2012-07-12
MD5: 3604629b720c67b7906fb59f1bb2ee9c SHA-1: 7cd0e4b6c97c1833ec2127997688c8cf4ccca6c2 SHA-256: 6948f110047b283810be9490528ed9460d8943cabf9de371eda797e151b6b68d
122 Risk Score

Heuristics 3

  • ClamAV: Doc.Downloader.Inject-118 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Inject-118
  • XOR-encoded strings (key 0x70) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x70: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'VirtualAllocEx', 'CreateProcessA'
    Disassembly
    x86 disassembly · validity: code (0.705) — 2/3 branch targets land on an instruction boundary (67% coherence)
    00019C04  1b15021e151c      sbb edx, dword ptr [0x1c151e02]
    00019C0A  43                inc ebx
    00019C0B  42                inc edx
    00019C0C  5e                pop esi
    00019C0D  141c              adc al, 0x1c
    00019C0F  1c00              sbb al, 0
    00019C11  0000              add byte ptr [eax], al
    00019C13  0023              add byte ptr [ebx], ah
    00019C15  1c15              sbb al, 0x15
    00019C17  1570000000        adc eax, 0x70
    00019C1C  331c1f            xor ebx, dword ptr [edi + ebx]
    00019C1F  031538111e14      add edx, dword ptr [0x141e1138]
    00019C25  1c15              sbb al, 0x15
    00019C27  0023              add byte ptr [ebx], ah
    00019C29  2923              sub dword ptr [ebx], esp
    00019C2B  2435              and al, 0x35
    00019C2D  3d2c330502        cmp eax, 0x205332c
    00019C32  02151e04331f      add dl, byte ptr [0x1f33041e]
    00019C38  1e                push ds
    00019C39  0402              add al, 2
    00019C3B  1f                pop ds
    00019C3C  1c23              sbb al, 0x23
    00019C3E  15042c2315        adc eax, 0x15232c04
    00019C43  0206              add al, byte ptr [esi]
    00019C45  1913              sbb dword ptr [ebx], edx
    00019C47  15032c0000        adc eax, 0x2c03
    00019C4C  261902            sbb dword ptr es:[edx], eax
    00019C4F  0405              add al, 5
    00019C51  111c31            adc dword ptr [ecx + esi], ebx
    00019C54  1c1c              sbb al, 0x1c
    00019C56  1f                pop ds
    00019C57  133508000007      adc esi, dword ptr [0x7000008]
    00019C5D  07                pop es
    00019C5E  07                pop es
    00019C5F  5e                pop esi
    00019C60  131419            adc edx, dword ptr [ecx + ebx]
    00019C63  17                pop ss
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)