Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7715869c4a56e821…

MALICIOUS

Office (OLE)

68.5 KB Created: 2010-12-10 08:57:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: f96684c4d711a7591b738d7fbfef63f4 SHA-1: b0cf6bf16a9ad1d9b77a8a3f992aa3fdc46cf27d SHA-256: 7715869c4a56e821321619e8552d20e8fb463697de5c26b3585c1be5577a719f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to achieve code execution. It then uses a constructed command line that invokes cmd.exe to run PowerShell, which downloads and executes a script from http://evilserver.ninja/pp.ps1. This indicates a downloader or dropper functionality.

Heuristics 5

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00000A1F  07                pop es
    00000A20  07                pop es
    00000A21  07                pop es
    00000A22  07                pop es
    00000A23  07                pop es
    00000A24  07                pop es
    00000A25  07                pop es
    00000A26  07                pop es
    00000A27  07                pop es
    00000A28  07                pop es
    00000A29  07                pop es
    00000A2A  07                pop es
    00000A2B  07                pop es
    00000A2C  07                pop es
    00000A2D  07                pop es
    00000A2E  07                pop es
    00000A2F  07                pop es
    00000A30  07                pop es
    00000A31  07                pop es
    00000A32  07                pop es
    00000A33  07                pop es
    00000A34  07                pop es
    00000A35  07                pop es
    00000A36  07                pop es
    00000A37  07                pop es
    00000A38  07                pop es
    00000A39  07                pop es
    00000A3A  07                pop es
    00000A3B  07                pop es
    00000A3C  07                pop es
    00000A3D  07                pop es
    00000A3E  07                pop es
    00000A3F  07                pop es
    00000A40  07                pop es
    00000A41  07                pop es
    00000A42  07                pop es
    00000A43  07                pop es
    00000A44  07                pop es
    00000A45  07                pop es
    00000A46  07                pop es
    00000A47  07                pop es
    00000A48  07                pop es
    00000A49  07                pop es
    00000A4A  07                pop es
    00000A4B  07                pop es
    00000A4C  07                pop es
    00000A4D  07                pop es
    00000A4E  07                pop es
    00000A4F  07                pop es
    00000A50  07                pop es
    00000A51  07                pop es
    00000A52  07                pop es
    00000A53  07                pop es
    00000A54  07                pop es
    00000A55  07                pop es
    00000A56  07                pop es
    00000A57  07                pop es
    00000A58  07                pop es
    00000A59  07                pop es
    00000A5A  07                pop es
    00000A5B  07                pop es
    00000A5C  07                pop es
    00000A5D  07                pop es
    00000A5E  07                pop es
    00000A5F  07                pop es
    00000A60  07                pop es
    00000A61  07                pop es
    00000A62  07                pop es
    00000A63  07                pop es
    00000A64  07                pop es
    00000A65  07                pop es
    00000A66  07                pop es
    00000A67  07                pop es
    00000A68  07                pop es
    00000A69  07                pop es
    00000A6A  07                pop es
    00000A6B  07                pop es
    00000A6C  07                pop es
    00000A6D  07                pop es
    00000A6E  07                pop es
    00000A6F  07                pop es
    00000A70  07                pop es
    00000A71  07                pop es
    00000A72  07                pop es
    00000A73  07                pop es
    00000A74  07                pop es
    00000A75  07                pop es
    00000A76  07                pop es
    00000A77  07                pop es
    00000A78  07                pop es
    00000A79  07                pop es
    00000A7A  07                pop es
    00000A7B  07                pop es
    00000A7C  07                pop es
    00000A7D  07                pop es
    00000A7E  07                pop es
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evilserver.ninja/pp.ps1 In document text (OLE body)
    • http://www.dacostabalboa.com/yoniIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)