Win.Malware.Noobyprotect-6622929-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 8411e8d20437b4d2…

MALICIOUS

Office (OLE)

974.0 KB Created: 2019-02-09 07:02:22 First seen: 2019-05-16
MD5: 0aa19f81e954a5d352497bad8b132590 SHA-1: be9d5e040d04c33a6b33bee170f42d9cfaf82ebb SHA-256: 8411e8d20437b4d2c127607d485e8e3cb86a5f145508ccb8fe20025b2314fd94
542 Risk Score

Malware Insights

Win.Malware.Noobyprotect-6622929-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The sample is a malicious OLE document that exploits CVE-2008-2244 to embed and execute a PE executable. The embedded executable was detected by ClamAV as Win.Malware.Noobyprotect-6622929-0. The document also contains references to Windows API functions such as CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, indicating the embedded executable likely performs process injection or loads additional malicious code.

Heuristics 13

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Malware.Noobyprotect-6622929-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Noobyprotect-6622929-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    0004C9D1  e800000000        call 0x4c9d6
0004C9D6  58                pop eax
0004C9D7  e9c9150000        jmp 0x4dfa5
0004C9DC  3d8d1c9d00        cmp eax, 0x9d1c8d
0004C9E1  0000              add byte ptr [eax], al
0004C9E3  0066bb            add byte ptr [esi - 0x45], ah
0004C9E6  10e8              adc al, ch
0004C9E8  0f99c7            setns bh
0004C9EB  e817000000        call 0x4ca07
0004C9F0  0c66              or al, 0x66
0004C9F2  f7d3              not ebx
0004C9F4  66d3d3            rcl bx, cl
0004C9F7  5b                pop ebx
0004C9F8  870c24            xchg dword ptr [esp], ecx
0004C9FB  eb3a              jmp 0x4ca37
0004C9FD  90                nop
0004C9FE  23b3d625e6e6      and esi, dword ptr [ebx - 0x1919da2a]
0004CA04  119013c0db05      adc dword ptr [eax + 0x5dbc013], edx
0004CA0A  e8e2ffffff        call 0x4c9f1
0004CA0F  e800000000        call 0x4ca14
0004CA14  59                pop ecx
0004CA15  e945150000        jmp 0x4df5f
0004CA1A  8a2554c76e79      mov ah, byte ptr [0x796ec754]
0004CA20  8d1c9d00000000    lea ebx, [ebx*4]
0004CA27  66bb10e8          mov bx, 0xe810
0004CA2B  0f99c7            setns bh
0004CA2E  668bd8            mov bx, ax
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    000F055D  64a130000000      mov eax, dword ptr fs:[0x30]
000F0563  eb26              jmp 0xf058b
000F0565  6bf161            imul esi, ecx, 0x61
000F0568  00f3              add bl, dh
000F056A  46                inc esi
000F056B  6bf260            imul esi, edx, 0x60
000F056E  07                pop es
000F056F  f27573            bnd jne 0xf05e5
000F0572  6aeb              push -0x15
000F0574  dd8b4008eb1b      fisttp qword ptr [ebx + 0x1beb0840]
000F057A  99                cdq
000F057B  0595fc0f8a        add eax, 0x8a0ffc95
000F0580  34b6              xor al, 0xb6
000F0582  2443              and al, 0x43
000F0584  be6a274ed9        mov esi, 0xd94e276a
000F0589  381b              cmp byte ptr [ebx], bl
000F058B  8b400c            mov eax, dword ptr [eax + 0xc]
000F058E  8b401c            mov eax, dword ptr [eax + 0x1c]
000F0591  8b00              mov eax, dword ptr [eax]
000F0593  ebe0              jmp 0xf0575
000F0595  50                push eax
000F0596  e988eaffff        jmp 0xef023
000F059B  58                pop eax
000F059C  2d284a1100        sub eax, 0x114a28
000F05A1  50                push eax
000F05A2  e9efc8ffff        jmp 0xece96
000F05A7  73f0              jae 0xf0599
000F05A9  6601f0            add ax, si
000F05AC  16                push ss
000F05AD  6f                outsd dx, dword ptr [esi]
000F05AE  ed                in eax, dx
000F05AF  7d04              jge 0xf05b5
000F05B1  f7147f            not dword ptr [edi + edi*2]
000F05B4  fe                .byte 0xfe
000F05B5  6c                insb byte ptr es:[edi], dx
000F05B6  0b06              or eax, dword ptr [esi]
000F05B8  e44b              in al, 0x4b
000F05BA  d34326            rol dword ptr [ebx + 0x26], cl
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 997,376 bytes but its declared streams total only 5,758 bytes — 991,618 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pki-ocsp.symauth.com0 In document text (OLE body)
    • http://pki-crl.symauth.com/ca_3e5451d77b370c64c3bd39d10f35bd21/LatestCRL.crl07In document text (OLE body)
    • http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002400.exe embedded-pe Office MZ+PE at offset 0x2400 988160 bytes
SHA-256: 985a760a2ca73b7be63ec64d0a9fe92f8dfce83ffc27b1425ee046e914819ff3
Detection
ClamAV: Win.Malware.Noobyprotect-6622929-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_STR_VIRTUALALLOC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: LoadLibraryExA, GetProcAddress, VirtualProtect, CreateFileW, advapi32.dll, ADVAPI32.DLL Carved artifact entropy is 7.86, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.