Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8a227e1b779b4ed3…

MALICIOUS

Office (OLE)

231.6 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 3f96e9a11238f1eebbe1428b2ad58ddf SHA-1: 1266ab68d1b73422b14634f3a8833906b51155aa SHA-256: 8a227e1b779b4ed370e19f25a60b8eabf0fc1164035733fe3d32b2b27c45c477
520 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is a malicious Microsoft Excel document that exploits CVE-2009-3129 to embed and execute a PE executable. Heuristics indicate the use of Windows API calls such as CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is likely a payload. The presence of a NOP sled and shellcode API strings further supports this. The embedded executable is identified as 'embedded_office_00011260.exe'.

Heuristics 12

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    000116D7  90                nop
000116D8  90                nop
000116D9  90                nop
000116DA  90                nop
000116DB  90                nop
000116DC  90                nop
000116DD  90                nop
000116DE  90                nop
000116DF  90                nop
000116E0  90                nop
000116E1  90                nop
000116E2  90                nop
000116E3  90                nop
000116E4  90                nop
000116E5  90                nop
000116E6  90                nop
000116E7  90                nop
000116E8  90                nop
000116E9  90                nop
000116EA  90                nop
000116EB  90                nop
000116EC  90                nop
000116ED  90                nop
000116EE  90                nop
000116EF  90                nop
000116F0  90                nop
000116F1  90                nop
000116F2  90                nop
000116F3  90                nop
000116F4  90                nop
000116F5  90                nop
000116F6  90                nop
000116F7  90                nop
000116F8  90                nop
000116F9  90                nop
000116FA  90                nop
000116FB  90                nop
000116FC  90                nop
000116FD  90                nop
000116FE  90                nop
000116FF  90                nop
00011700  90                nop
00011701  90                nop
00011702  90                nop
00011703  8d4646            lea eax, [esi + 0x46]
00011706  33d2              xor edx, edx
00011708  8bc8              mov ecx, eax
0001170A  5f                pop edi
0001170B  8911              mov dword ptr [ecx], edx
0001170D  895104            mov dword ptr [ecx + 4], edx
00011710  895108            mov dword ptr [ecx + 8], edx
00011713  89510c            mov dword ptr [ecx + 0xc], edx
00011716  895110            mov dword ptr [ecx + 0x10], edx
00011719  66c7003100        mov word ptr [eax], 0x31
0001171E  66c746480100      mov word ptr [esi + 0x48], 1
00011724  c7464a401f0000    mov dword ptr [esi + 0x4a], 0x1f40
0001172B  c7464e59060000    mov dword ptr [esi + 0x4e], 0x659
00011732  66                .byte 0x66
00011733  c7                .byte 0xc7
00011734  46                inc esi
00011735  52                push edx
00011736  41                inc ecx
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 237,175 bytes but its declared streams total only 24,565 bytes — 212,610 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00011260.exe embedded-pe Office MZ+PE at offset 0x11260 166935 bytes
SHA-256: dbfd274810b9e8fdc32fc06352e03b0fa0d87722c35f7cc7ec341c07fe33d287
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_GETPROCADDRESS, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, VirtualAlloc, CreateThread, CreateProcessA, CreateFileA

Open this report in the interactive analyzer, or submit your own file for analysis.