Office (OLE) malware analysis — malicious · 8fbd4b372c18c451

MALICIOUS

Office (OLE)

120.5 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 3b21ccc6aa521d2bf4736063fbfe591e SHA-1: 74ac736cb99210c436ef31f6842c29554f08d840 SHA-256: 8fbd4b372c18c451733128ad2979ddfb3331a53efdb6c5b130db43f6bcd5b587

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is flagged as malicious by ClamAV with the signature 'Doc.Trojan.1Table-1'. Static analysis reveals XOR-encoded strings and an OLE slack space anomaly, indicating potential obfuscation or a hidden malicious component. While a VBA macro is present, its content appears benign, suggesting it might be a loader or a decoy.

Heuristics 5

ClamAV: Doc.Trojan.1Table-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.1Table-1

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateFileA', 'CreateFileA', 'CreateThread'

Disassembly

Attempted x86 opcode disassembly

0000B1E9  b390              mov bl, 0x90
0000B1EB  9e                sahf
0000B1EC  9b                wait
0000B1ED  b396              mov bl, 0x96
0000B1EF  9d                popfd
0000B1F0  8d9e8d86beff      lea ebx, [esi - 0x417973]
0000B1F6  bc8d9a9e8b        mov esp, 0x8b9e9a8d
0000B1FB  9aaf8d909c9a8c    lcall 0x8c9a, 0x9c908daf
0000B202  8c                .byte 0x8c
0000B203  beffad9a9e        mov esi, 0x9e9aadff
0000B208  9b                wait
0000B209  b996939aff        mov ecx, 0xff9a9396
0000B20E  a88d              test al, 0x8d
0000B210  96                xchg esi, eax
0000B211  8b9ab996939a      mov ebx, dword ptr [edx - 0x656c6947]
0000B217  ff                .byte 0xff
0000B218  bc8d9a9e8b        mov esp, 0x8b9e9a8d
0000B21D  9ab996939abeff    lcall 0xffbe, 0x9a9396b9
0000B224  ac                lodsb al, byte ptr [esi]
0000B225  9a8bb996939aaf    lcall 0xaf9a, 0x9396b98b
0000B22C  90                nop
0000B22D  96                xchg esi, eax
0000B22E  91                xchg ecx, eax
0000B22F  8b9a8dffac9a      mov ebx, dword ptr [edx - 0x65530073]
0000B235  8bba919bb099      mov edi, dword ptr [edx - 0x664f646f]
0000B23B  b996939aff        mov ecx, 0xff9a9396
0000B240  bc93908c9a        mov esp, 0x9a8c9093
0000B245  b79e              mov bh, 0x9e
0000B247  91                xchg ecx, eax
0000B248  9b                wait

x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP ECX)

Disassembly

Attempted x86 opcode disassembly

0000B300  e800000000        call 0xb305
0000B305  59                pop ecx
0000B306  5e                pop esi
0000B307  2bce              sub ecx, esi
0000B309  8bfe              mov edi, esi
0000B30B  56                push esi
0000B30C  ac                lodsb al, byte ptr [esi]
0000B30D  34ff              xor al, 0xff
0000B30F  aa                stosb byte ptr es:[edi], al
0000B310  e2fa              loop 0xb30c
0000B312  c3                ret
0000B313  0000              add byte ptr [eax], al
0000B315  0000              add byte ptr [eax], al
0000B317  0000              add byte ptr [eax], al
0000B319  0000              add byte ptr [eax], al
0000B31B  0000              add byte ptr [eax], al
0000B31D  0000              add byte ptr [eax], al
0000B31F  0000              add byte ptr [eax], al
0000B321  0000              add byte ptr [eax], al
0000B323  0000              add byte ptr [eax], al
0000B325  0000              add byte ptr [eax], al
0000B327  0000              add byte ptr [eax], al
0000B329  0000              add byte ptr [eax], al
0000B32B  0000              add byte ptr [eax], al
0000B32D  0000              add byte ptr [eax], al
0000B32F  0000              add byte ptr [eax], al
0000B331  0000              add byte ptr [eax], al
0000B333  0000              add byte ptr [eax], al
0000B335  0000              add byte ptr [eax], al
0000B337  0000              add byte ptr [eax], al
0000B339  0000              add byte ptr [eax], al
0000B33B  0000              add byte ptr [eax], al
0000B33D  0000              add byte ptr [eax], al
0000B33F  0000              add byte ptr [eax], al
0000B341  0000              add byte ptr [eax], al
0000B343  0000              add byte ptr [eax], al
0000B345  0000              add byte ptr [eax], al
0000B347  0000              add byte ptr [eax], al
0000B349  0000              add byte ptr [eax], al
0000B34B  0000              add byte ptr [eax], al
0000B34D  0000              add byte ptr [eax], al
0000B34F  0000              add byte ptr [eax], al
0000B351  0000              add byte ptr [eax], al
0000B353  0000              add byte ptr [eax], al
0000B355  0000              add byte ptr [eax], al
0000B357  0000              add byte ptr [eax], al
0000B359  0000              add byte ptr [eax], al
0000B35B  0000              add byte ptr [eax], al
0000B35D  0000              add byte ptr [eax], al
0000B35F  00                .byte 0x00

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 123,392 bytes but its declared streams total only 54,248 bytes — 69,144 bytes (56%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 559 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	559 bytes
SHA-256: `2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub HANAMI() Attribute HANAMI.VB_Description = "ºêÔÚ 2002-5-20 ÓÉ EFairy Â¼ÖÆ" Attribute HANAMI.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.HANAMI" ' ' HANAMI Macro ' ºêÔÚ 2002-5-20 ÓÉ EFairy Â¼ÖÆ ' End Sub

SHA-256: 2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub HANAMI()
Attribute HANAMI.VB_Description = "ºêÔÚ 2002-5-20 ÓÉ EFairy Â¼ÖÆ"
Attribute HANAMI.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.HANAMI"
'
' HANAMI Macro
' ºêÔÚ 2002-5-20 ÓÉ EFairy Â¼ÖÆ
'
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.