Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7d6bd16025d411f2…

MALICIOUS

Office (OLE)

56.6 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11. First seen: 2015-09-30
MD5: 84f04efb9c8f7f43a3d110b481c2ba90 SHA-1: cb61a13d08fdd949ca29c986c05a2b683c5ff0a6 SHA-256: 7d6bd16025d411f21580647766af14e46a877cf871f43591079bfe45fa9c63b8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document exhibiting a large amount of slack space, indicative of potential obfuscation or embedded malicious content. A high-severity heuristic firing for PEB access suggests an attempt to exploit a vulnerability for client execution. The document body is heavily corrupted, preventing analysis of its specific lure, but the combination of heuristics points to a likely exploit attempt.

Heuristics 2

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00003342  64a130000000      mov eax, dword ptr fs:[0x30]
00003348  8b400c            mov eax, dword ptr [eax + 0xc]
0000334B  8b701c            mov esi, dword ptr [eax + 0x1c]
0000334E  ad                lodsd eax, dword ptr [esi]
0000334F  8b7808            mov edi, dword ptr [eax + 8]
00003352  8b473c            mov eax, dword ptr [edi + 0x3c]
00003355  8b540778          mov edx, dword ptr [edi + eax + 0x78]
00003359  03d7              add edx, edi
0000335B  8b4a18            mov ecx, dword ptr [edx + 0x18]
0000335E  8b5a20            mov ebx, dword ptr [edx + 0x20]
00003361  03df              add ebx, edi
00003363  49                dec ecx
00003364  8b348b            mov esi, dword ptr [ebx + ecx*4]
00003367  03f7              add esi, edi
00003369  b847657450        mov eax, 0x50746547
0000336E  3906              cmp dword ptr [esi], eax
00003370  75f1              jne 0x3363
00003372  b8726f6341        mov eax, 0x41636f72
00003377  394604            cmp dword ptr [esi + 4], eax
0000337A  75e7              jne 0x3363
0000337C  8b5a24            mov ebx, dword ptr [edx + 0x24]
0000337F  03df              add ebx, edi
00003381  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00003385  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
00003388  03df              add ebx, edi
0000338A  8b048b            mov eax, dword ptr [ebx + ecx*4]
0000338D  03c7              add eax, edi
0000338F  89452c            mov dword ptr [ebp + 0x2c], eax
00003392  c7450043726561    mov dword ptr [ebp], 0x61657243
00003399  c7450474654669    mov dword ptr [ebp + 4], 0x69466574
000033A0  c7                .byte 0xc7
000033A1  45                inc ebp
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 57,969 bytes but its declared streams total only 16,486 bytes — 41,483 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.