Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 760473c237f40397…

MALICIOUS

Office (OLE)

128.0 KB First seen: 2015-09-15
MD5: 07855ad33f0a729725f5dacc717e3340 SHA-1: 1cc82de39023a7852ee1381dd3fd3dd311ba88a7 SHA-256: 760473c237f403977bc146648b5a2d1115435b832b207b3cd15eda2db0822934
88 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document exhibiting a high-severity heap spray pattern and a large slack space anomaly, indicating potential malicious code injection. Although the VBA project contains no executable statements, the presence of the heap spray heuristic strongly suggests an attempt to exploit a vulnerability for code execution. The SHA256 hash is included as an IOC.

Heuristics 3

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000F03F  0404              add al, 4
    0000F041  0404              add al, 4
    0000F043  0404              add al, 4
    0000F045  0404              add al, 4
    0000F047  0404              add al, 4
    0000F049  0404              add al, 4
    0000F04B  0404              add al, 4
    0000F04D  0404              add al, 4
    0000F04F  0404              add al, 4
    0000F051  0404              add al, 4
    0000F053  0404              add al, 4
    0000F055  0404              add al, 4
    0000F057  0404              add al, 4
    0000F059  0404              add al, 4
    0000F05B  0404              add al, 4
    0000F05D  0404              add al, 4
    0000F05F  0404              add al, 4
    0000F061  0404              add al, 4
    0000F063  0404              add al, 4
    0000F065  0404              add al, 4
    0000F067  0404              add al, 4
    0000F069  0404              add al, 4
    0000F06B  0404              add al, 4
    0000F06D  0404              add al, 4
    0000F06F  0404              add al, 4
    0000F071  0404              add al, 4
    0000F073  0404              add al, 4
    0000F075  0404              add al, 4
    0000F077  0404              add al, 4
    0000F079  0404              add al, 4
    0000F07B  0404              add al, 4
    0000F07D  0404              add al, 4
    0000F07F  0404              add al, 4
    0000F081  0404              add al, 4
    0000F083  0404              add al, 4
    0000F085  0404              add al, 4
    0000F087  0404              add al, 4
    0000F089  0404              add al, 4
    0000F08B  0404              add al, 4
    0000F08D  0404              add al, 4
    0000F08F  0404              add al, 4
    0000F091  0404              add al, 4
    0000F093  0404              add al, 4
    0000F095  0404              add al, 4
    0000F097  0404              add al, 4
    0000F099  0404              add al, 4
    0000F09B  0404              add al, 4
    0000F09D  0404              add al, 4
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 131,088 bytes but its declared streams total only 43,229 bytes — 87,859 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1271 bytes
SHA-256: 1393fb9c6c18f41eb0fa3c4533b46ef8e1670352e75321cc8504cd42cae698a3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView1, 1, 0, MSComctlLib, ListView"

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True