Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 70174d080563fd46…

MALICIOUS

Office (OLE)

106.6 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 5f42774116ddd78010a80a4820b1d2f5 SHA-1: 893ae57190c36f4a809fdfae2edfe712fba55633 SHA-256: 70174d080563fd46dd973a6ec976b65ee8f05ae119c1ffbd4b410b3c6cfc7be0
168 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is detected as Win.Exploit.13525-1, indicating it likely exploits a known vulnerability for execution. The presence of VBA macros, though not containing executable statements directly, suggests a potential vector for further exploitation or obfuscation. The XOR-encoded strings further point to malicious intent, likely to hide malicious code or URLs.

Heuristics 4

  • ClamAV: Win.Exploit.13525-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.13525-1
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'GetProcAddress', 'VirtualAlloc', 'VirtualAllocEx', 'CreateFileA', 'WriteProcessMemory', 'CreateRemoteThread', 'OpenProcess'
    Disassembly
    Attempted x86 opcode disassembly
    00013974  b89a8baf8d        mov eax, 0x8daf8b9a
00013979  90                nop
0001397A  9c                pushfd
0001397B  be9b9b8d9a        mov esi, 0x9a8d9b9b
00013980  8c8cffffd9feb8    mov word ptr [edi + edi*8 - 0x47012601], cs
00013987  9a8bb2909b8a93    lcall 0x938a, 0x9b90b28b
0001398E  9ab79e919b939a    lcall 0x9a93, 0x9b919eb7
00013995  beffff16fd        mov esi, 0xfd16ffff
0001399A  a88d              test al, 0x8d
0001399C  96                xchg esi, eax
0001399D  8b9aaf8d909c      mov ebx, dword ptr [edx - 0x636f7251]
000139A3  9a8c8cb29a9290    lcall 0x9092, 0x9ab28c8c
000139AA  8d86ffff43fd      lea eax, [esi - 0x2bc0001]
000139B0  a9968d8b8a        test eax, 0x8a8b8d96
000139B5  9e                sahf
000139B6  93                xchg ebx, eax
000139B7  be9393909c        mov esi, 0x9c909393
000139BC  ba87fffff6        mov edx, 0xf6ffff87
000139C1  fc                cld
000139C2  93                xchg ebx, eax
000139C3  8c8b8d939a91      mov word ptr [ebx - 0x6e656c73], cs
000139C9  a8ff              test al, 0xff
000139CB  ff10              call dword ptr [eax]
000139CD  fe                .byte 0xfe
000139CE  b08f              mov al, 0x8f
000139D0  9a                .byte 0x9a
000139D1  91                xchg ecx, eax
000139D2  af                scasd eax, dword ptr es:[edi]
000139D3  8d                .byte 0x8d
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 109,196 bytes but its declared streams total only 54,248 bytes — 54,948 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 286 bytes
SHA-256: 7771bf99b1125ee0f87040a7dc7c1fa89eec2186bbf4ab3e822c8d665693af47
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.