Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90e1a551654af287…

MALICIOUS

Office (OLE)

95.4 KB Created: 2010-06-10 05:41:00 Authoring application: Microsoft Office Word First seen: 2015-09-16
MD5: 40d631cb0bb4ce67715cd4adad567b60 SHA-1: 60ee67984751ac2a9d2528bb5efc0ec4e5ac5665 SHA-256: 90e1a551654af287cad153c1a1410bdf8ddef762c676d772de16c43156e6a835
402 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2008-2244 to embed and execute a PE executable. The document body contains a plea for signatures on a petition, which includes a malicious URL. The embedded executable is likely a downloader for a second-stage payload, indicated by the presence of CreateProcess, WriteProcessMemory, and LoadLibrary API calls.

Heuristics 9

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • XOR-encoded strings (key 0x11) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x11: 'kernel32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    00010B61  7a74              jp 0x10bd7
00010B63  637f74            arpl word ptr [edi + 0x74], di
00010B66  7d22              jge 0x10b8a
00010B68  233f              and edi, dword ptr [edi]
00010B6A  757d              jne 0x10be9
00010B6C  7d89              jge 0x10af7
00010B6E  8989c8898989      mov dword ptr [ecx - 0x76767638], ecx
00010B74  ac                lodsb al, byte ptr [esi]
00010B75  b9a7b1f189        mov ecx, 0x89f1b1a7
00010B7A  8989edecefe8      mov dword ptr [ecx - 0x17101313], ecx
00010B80  fc                cld
00010B81  e5fd              in eax, 0xfd
00010B83  89fe              mov esi, edi
00010B85  e0e7              loopne 0x10b6e
00010B87  fa                cli
00010B88  fd                std
00010B89  e8b989d2ac        call 0xacd39547
00010B8E  fa                cli
00010B8F  d489              aam 0x89
00010B91  898989a28989      mov dword ptr [ecx - 0x76765d77], ecx
00010B97  89d4              mov esp, edx
00010B99  898989d28989      mov dword ptr [ecx - 0x76762d77], ecx
00010B9F  89cf              mov edi, ecx
00010BA1  8989892870a9      mov dword ptr [ecx - 0x568fd777], ecx
00010BA7  a389898989        mov dword ptr [0x89898989], eax
00010BAC  2870a9            sub byte ptr [eax - 0x57], dh
00010BAF  a289898989        mov byte ptr [0x89898989], al
00010BB4  2870a9            sub byte ptr [eax - 0x57], dh
00010BB7  a4                movsb byte ptr es:[edi], byte ptr [esi]
00010BB8  898989892870      mov dword ptr [ecx + 0x70288989], ecx
00010BBE  a9                .byte 0xa9
00010BBF  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
00010BC0  89                .byte 0x89
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 97,668 bytes but its declared streams total only 21,378 bytes — 76,290 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.freetenzin.org In document text (OLE body)
    • https://secure.ga4.org/01/FreeTibetActionCampXIIn document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
    • http://www.microsoft.com/windows0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006214.exe embedded-pe Office MZ+PE at offset 0x6214 72560 bytes
SHA-256: 318689fb324ae4469b970e1b1d7195815189c05f7d0594a0ab068dbd502b0101

Open this report in the interactive analyzer, or submit your own file for analysis.