Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8f163ba3463db1d0…

MALICIOUS

Office (OLE)

164.5 KB First seen: 2015-10-04
MD5: 7b052bffa4d49088908d2857a981c200 SHA-1: 2605754e89858c451c0ecea8721e51645ddaf388 SHA-256: 8f163ba3463db1d0a989dc7268a327878b5f3ecbd1b104be5792f7ba2584206b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document with detected VBA macros. The 'SC_XOR_ENCODED' heuristic suggests obfuscated strings within the macro, commonly used to hide malicious code. The 'OLE_SLACK_ANOMALY' heuristic indicates a large amount of unused space, which can also be used for obfuscation or to hide embedded content. The VBA macro itself is minimal, but the presence of obfuscated strings and the overall structure strongly suggest it's a downloader for a second-stage payload.

Heuristics 3

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress'
    Disassembly
    Attempted x86 opcode disassembly
    000056C5  94                xchg esp, eax
    000056C6  9a8d919a93cccd    lcall 0xcdcc, 0x939a918d
    000056CD  d19b9393ff70      rcr dword ptr [ebx + 0x70ff9393], 1
    000056D3  ba0717f3ff        mov edx, 0xfff31707
    000056D8  ff                .byte 0xff
    000056D9  ff                .byte 0xff
    000056DA  ba87968baf        mov edx, 0xaf8b9687
    000056DF  8d909c9a8c8c      lea edx, [eax - 0x73736564]
    000056E5  ff707a            push dword ptr [eax + 0x7a]
    000056E8  db00              fild dword ptr [eax]
    000056EA  0000              add byte ptr [eax], al
    000056EC  17                pop ss
    000056ED  f3                .byte 0xf3
    000056EE  ff                .byte 0xff
    000056EF  ff                .byte 0xff
    000056F0  ff                .byte 0xff
    000056F1  bc8d9a9e8b        mov esp, 0x8b9e9a8d
    000056F6  9ab996939abeff    lcall 0xffbe, 0x9a9396b9
    000056FD  707a              jo 0x5779
    000056FF  d7                xlatb
    00005700  0000              add byte ptr [eax], al
    00005702  0017              add byte ptr [edi], dl
    00005704  ec                in al, dx
    00005705  ff                .byte 0xff
    00005706  ff                .byte 0xff
    00005707  ff                .byte 0xff
    00005708  bc8d9a9e8b        mov esp, 0x8b9e9a8d
    0000570D  9ab996939ab29e    lcall 0x9eb2, 0x9a9396b9
    00005714  8f                .byte 0x8f
    00005715  8f                .byte 0x8f
    00005716  96                xchg esi, eax
    00005717  91                xchg ecx, eax
    00005718  98                cwde
    00005719  beff707ad3        mov esi, 0xd37a70ff
    0000571E  0000              add byte ptr [eax], al
    00005720  0017              add byte ptr [edi], dl
    00005722  f1                int1
    00005723  ff                .byte 0xff
    00005724  ff                .byte 0xff
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 168,448 bytes but its declared streams total only 38,019 bytes — 130,429 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 493 bytes
SHA-256: 1a9b5ef1661434a35ef2224a1a63d0428e37400d35e04dc698714138d7401e81
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Macro1()
Attribute Macro1.VB_Description = "sdfsdf"
Attribute Macro1.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Macro1"
'
' Macro1 Macro
' sdfsdf
'
End Sub