Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b4c26a95e37f6dd…

MALICIOUS

Office (OLE)

434.8 KB First seen: 2015-09-30
MD5: 8a5ddd268d5a354eaa2ce98c8f353868 SHA-1: 97da9b1e15563f49b679e96c5288934da717e394 SHA-256: 6b4c26a95e37f6ddc4305b03ade5934c0130e47978e960f023ccd74bdcaa4caa
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document with a significant portion of appended data, identified as a potential executable payload. Heuristics indicate XOR-encoded strings and the use of VirtualAlloc, suggesting code execution. Although no VBA macros were found to be executable, the presence of appended payload bytes and the OLE structure strongly suggest this file is designed to drop and execute a secondary malicious component.

Heuristics 5

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
    Disassembly
    Attempted x86 opcode disassembly
    00010BFD  99                cdq
00010BFE  bbaa8eacb1        mov ebx, 0xb1ac8eaa
00010C03  bd9fbabaac        mov ebp, 0xacbaba9f
00010C08  bbadadde99        mov ebx, 0x99deadad
00010C0D  bbaa8abbb3        mov ebx, 0xb3bb8aaa
00010C12  ae                scasb al, byte ptr es:[edi]
00010C13  8e                .byte 0x8e
00010C14  bfaab69fde        mov edi, 0xde9fb6aa
00010C19  9d                popfd
00010C1A  ac                lodsb al, byte ptr [esi]
00010C1B  bbbfaabb98        mov ebx, 0x98bbaabf
00010C20  b7b2              mov bh, 0xb2
00010C22  bb9fde99bb        mov ebx, 0xbb99de9f
00010C27  aa                stosb byte ptr es:[edi], al
00010C28  98                cwde
00010C29  b7b2              mov bh, 0xb2
00010C2B  bb8db7a4bb        mov ebx, 0xbba4b78d
00010C30  de8dbbaa98b7      fimul word ptr [ebp - 0x48675545]
00010C36  b2bb              mov dl, 0xbb
00010C38  8e                .byte 0x8e
00010C39  b1b7              mov cl, 0xb7
00010C3B  b0aa              mov al, 0xaa
00010C3D  bbacde8cbb        mov ebx, 0xbb8cdeac
00010C42  bfba98b7b2        mov edi, 0xb2b798ba
00010C47  bbde89acb7        mov ebx, 0xb7ac89de
00010C4C  aa                stosb byte ptr es:[edi], al
00010C4D  bb98b7b2bb        mov ebx, 0xbbb2b798
00010C52  de9db2b1adbb      ficomp word ptr [ebp - 0x44524e4e]
00010C58  96                xchg esi, eax
00010C59  bf                .byte 0xbf
00010C5A  b0ba              mov al, 0xba
00010C5C  b2                .byte 0xb2
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 445,209 bytes but its declared streams total only 240,528 bytes — 204,681 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Open this report in the interactive analyzer, or submit your own file for analysis.