MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document that exploits CVE-2012-1856, a vulnerability in MSComctlLib.Toolbar. This exploit allows for the execution of arbitrary code, likely to download and run a secondary payload. The presence of a NOP sled and XOR-encoded strings further indicates malicious intent.
Heuristics 5
-
MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
-
XOR-encoded strings (key 0xC7) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0xC7: 'LoadLibraryW', 'GetProcAddress', 'CreateProcessA'
Disassembly
Attempted x86 opcode disassembly000143AE 8ba8a6a38bae mov ebp, dword ptr [eax - 0x51745c5a] 000143B4 a5 movsd dword ptr es:[edi], dword ptr [esi] 000143B5 b5a6 mov ch, 0xa6 000143B7 b5be mov ch, 0xbe 000143B9 90 nop 000143BA 0000 add byte ptr [eax], al 000143BC a3c580a2b3 mov dword ptr [0xb3a280c5], eax 000143C1 94 xchg esp, eax 000143C2 b3a3 mov bl, 0xa3 000143C4 8f .byte 0x8f 000143C5 a6 cmpsb byte ptr [esi], byte ptr es:[edi] 000143C6 a9a3aba200 test eax, 0xa2aba3 000143CB 00d3 add bl, dl 000143CD c580a2b38aa8 lds eax, ptr [eax - 0x57754c5e] 000143D3 a3b2aba281 mov dword ptr [0x81a2abb2], eax 000143D8 ae scasb al, byte ptr es:[edi] 000143D9 ab stosd dword ptr es:[edi], eax 000143DA a289a6aaa2 mov byte ptr [0xa2aaa689], al 000143DF 90 nop 000143E0 0000 add byte ptr [eax], al 000143E2 0ac5 or al, ch 000143E4 8f .byte 0x8f 000143E5 a2a6b784b5 mov byte ptr [0xb584b7a6], al 000143EA a2a6b3a200 mov byte ptr [0xa2b3a6], al 000143EF 00d4 add ah, dl 000143F1 c580a2b38aa8 lds eax, ptr [eax - 0x57754c5e] 000143F7 a3b2aba281 mov dword ptr [0x81a2abb2], eax 000143FC ae scasb al, byte ptr es:[edi] 000143FD ab stosd dword ptr es:[edi], eax 000143FE a289a6aaa2 mov byte ptr [0xa2aaa689], al 00014403 8600 xchg byte ptr [eax], al 00014405 00a6c681b5a2 add byte ptr [esi - 0x5d4a7e3a], ah 0001440B a2 .byte 0xa2 0001440C 82 .byte 0x82 0001440D a9 .byte 0xa9
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00002C50 90 nop 00002C51 90 nop 00002C52 90 nop 00002C53 90 nop 00002C54 90 nop 00002C55 90 nop 00002C56 90 nop 00002C57 90 nop 00002C58 90 nop 00002C59 90 nop 00002C5A 90 nop 00002C5B 90 nop 00002C5C 90 nop 00002C5D 90 nop 00002C5E 90 nop 00002C5F 90 nop 00002C60 90 nop 00002C61 90 nop 00002C62 90 nop 00002C63 90 nop 00002C64 90 nop 00002C65 90 nop 00002C66 90 nop 00002C67 90 nop 00002C68 0000 add byte ptr [eax], al 00002C6A 0000 add byte ptr [eax], al 00002C6C 0000 add byte ptr [eax], al 00002C6E 0000 add byte ptr [eax], al 00002C70 0000 add byte ptr [eax], al 00002C72 0000 add byte ptr [eax], al 00002C74 800000 add byte ptr [eax], 0 00002C77 800000 add byte ptr [eax], 0 00002C7A 008080008000 add byte ptr [eax + 0x800080], al 00002C80 0000 add byte ptr [eax], al 00002C82 800080 add byte ptr [eax], 0x80 00002C85 0080800000c0 add byte ptr [eax - 0x3fffff80], al 00002C8B c0c000 rol al, 0 00002C8E 808080000000ff add byte ptr [eax + 0x80], 0xff 00002C95 0000 add byte ptr [eax], al 00002C97 ff00 inc dword ptr [eax] 00002C99 0000 add byte ptr [eax], al 00002C9B ff .byte 0xff 00002C9C ff00 inc dword ptr [eax] 00002C9E ff00 inc dword ptr [eax] 00002CA0 0000 add byte ptr [eax], al 00002CA2 ff00 inc dword ptr [eax] 00002CA4 ff00 inc dword ptr [eax] 00002CA6 ff .byte 0xff 00002CA7 ff00 inc dword ptr [eax] 00002CA9 00ff add bh, bh 00002CAB ff .byte 0xff 00002CAC ff00 inc dword ptr [eax] 00002CAE ff .byte 0xff 00002CAF ff .byte 0xff
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 266,832 bytes but its declared streams total only 20,824 bytes — 246,008 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.