Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 72cad482c0e709b4…

MALICIOUS

Office (OLE)

46.0 KB Created: 2012-04-25 14:01:00 Authoring application: Microsoft Office Word First seen: 2015-09-26
MD5: 78c3d73e2e2bba6d8811c5dc39edd600 SHA-1: ce2637890e1be18e4cbcf833626c0c0a29f79364 SHA-256: 72cad482c0e709b47687120a48f21b5d9a4cfa3f9afc148e1d6ea288efa07724
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Inject-118, indicating it's a downloader. The document body appears to be a press release but contains significant amounts of garbled text, suggesting an attempt to obfuscate malicious content. The presence of XOR-encoded strings further supports the likelihood of obfuscation for malicious purposes.

Heuristics 3

  • ClamAV: Doc.Downloader.Inject-118 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Inject-118
  • XOR-encoded strings (key 0x85) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x85: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
    Disassembly
    Attempted x86 opcode disassembly
    0000B6DC  ce                into
0000B6DD  c0d7cb            rcl bh, 0xcb
0000B6E0  c0c9b6            ror cl, 0xb6
0000B6E3  b7ab              mov bh, 0xab
0000B6E5  c1c9c9            ror ecx, 0xc9
0000B6E8  00d6              add dh, dl
0000B6EA  cdc0              int 0xc0
0000B6EC  c9                leave
0000B6ED  c9                leave
0000B6EE  b6b7              mov dh, 0xb7
0000B6F0  ab                stosd dword ptr es:[edi], eax
0000B6F1  e1e9              loope 0xb6dc
0000B6F3  e90000c9ea        jmp 0xeac9b6f8
0000B6F8  e4e1              in al, 0xe1
0000B6FA  c9                leave
0000B6FB  ec                in al, dx
0000B6FC  e7f7              out 0xf7, eax
0000B6FE  e4f7              in al, 0xf7
0000B700  fc                cld
0000B701  c400              les eax, ptr [eax]
0000B703  00c2              add dl, al
0000B705  e0f1              loopne 0xb6f8
0000B707  d5f7              aad 0xf7
0000B709  eae6c4e1e1f7e0    ljmp 0xe0f7:0xe1e1c4e6
0000B710  f6f6              div dh
0000B712  0000              add byte ptr [eax], al
0000B714  d3ec              shr esp, cl
0000B716  f7f1              div ecx
0000B718  f0                .byte 0xf0
0000B719  e4e9              in al, 0xe9
0000B71B  d5f7              aad 0xf7
0000B71D  eaf1e0e6f10000    ljmp 0:0xf1e6e0f1
0000B724  d3ec              shr esp, cl
0000B726  f7f1              div ecx
0000B728  f0                .byte 0xf0
0000B729  e4e9              in al, 0xe9
0000B72B  c4                .byte 0xc4
0000B72C  e9e9eae600        jmp 0xe7a21a
0000B731  00d3              add bl, dl
0000B733  ec                in al, dx
0000B734  f7f1              div ecx
0000B736  f0                .byte 0xf0
0000B737  e4e9              in al, 0xe9
0000B739  c3                ret
0000B73A  f7e0              mul eax
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 47,120 bytes but its declared streams total only 18,279 bytes — 28,841 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.