Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 92dd0413c0ed37c5…

MALICIOUS

Office (OLE)

2.86 MB Created: 2003-11-02 01:22:43 Authoring application: Microsoft PowerPoint First seen: 2014-04-13
MD5: 5c29999fcc8ca1bd9d990ca052aaef83 SHA-1: 1def616983d5b8aa57d1abf51611f887dfe2d051 SHA-256: 92dd0413c0ed37c5cda38a01c7299280b2f9ab1af133516a7f2994b75fcc2154
102 Risk Score

Heuristics 4

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    000C3C90  0404              add al, 4
    000C3C92  0404              add al, 4
    000C3C94  0404              add al, 4
    000C3C96  0404              add al, 4
    000C3C98  0404              add al, 4
    000C3C9A  0404              add al, 4
    000C3C9C  0404              add al, 4
    000C3C9E  0404              add al, 4
    000C3CA0  0404              add al, 4
    000C3CA2  0404              add al, 4
    000C3CA4  0404              add al, 4
    000C3CA6  0404              add al, 4
    000C3CA8  0404              add al, 4
    000C3CAA  0404              add al, 4
    000C3CAC  0404              add al, 4
    000C3CAE  0404              add al, 4
    000C3CB0  0404              add al, 4
    000C3CB2  0404              add al, 4
    000C3CB4  0404              add al, 4
    000C3CB6  0404              add al, 4
    000C3CB8  0404              add al, 4
    000C3CBA  0404              add al, 4
    000C3CBC  0404              add al, 4
    000C3CBE  0404              add al, 4
    000C3CC0  0404              add al, 4
    000C3CC2  0404              add al, 4
    000C3CC4  0404              add al, 4
    000C3CC6  0404              add al, 4
    000C3CC8  0404              add al, 4
    000C3CCA  0404              add al, 4
    000C3CCC  0404              add al, 4
    000C3CCE  0404              add al, 4
    000C3CD0  0404              add al, 4
    000C3CD2  0404              add al, 4
    000C3CD4  0404              add al, 4
    000C3CD6  0404              add al, 4
    000C3CD8  0404              add al, 4
    000C3CDA  0404              add al, 4
    000C3CDC  0404              add al, 4
    000C3CDE  0404              add al, 4
    000C3CE0  0404              add al, 4
    000C3CE2  0404              add al, 4
    000C3CE4  0404              add al, 4
    000C3CE6  0404              add al, 4
    000C3CE8  0404              add al, 4
    000C3CEA  0404              add al, 4
    000C3CEC  0404              add al, 4
    000C3CEE  0404              add al, 4
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    000B8E21  40                inc eax
    000B8E22  40                inc eax
    000B8E23  40                inc eax
    000B8E24  40                inc eax
    000B8E25  40                inc eax
    000B8E26  40                inc eax
    000B8E27  40                inc eax
    000B8E28  40                inc eax
    000B8E29  40                inc eax
    000B8E2A  40                inc eax
    000B8E2B  40                inc eax
    000B8E2C  40                inc eax
    000B8E2D  40                inc eax
    000B8E2E  40                inc eax
    000B8E2F  40                inc eax
    000B8E30  40                inc eax
    000B8E31  40                inc eax
    000B8E32  40                inc eax
    000B8E33  40                inc eax
    000B8E34  40                inc eax
    000B8E35  40                inc eax
    000B8E36  40                inc eax
    000B8E37  40                inc eax
    000B8E38  40                inc eax
    000B8E39  40                inc eax
    000B8E3A  40                inc eax
    000B8E3B  40                inc eax
    000B8E3C  40                inc eax
    000B8E3D  40                inc eax
    000B8E3E  40                inc eax
    000B8E3F  40                inc eax
    000B8E40  40                inc eax
    000B8E41  40                inc eax
    000B8E42  40                inc eax
    000B8E43  40                inc eax
    000B8E44  40                inc eax
    000B8E45  40                inc eax
    000B8E46  40                inc eax
    000B8E47  40                inc eax
    000B8E48  40                inc eax
    000B8E49  40                inc eax
    000B8E4A  40                inc eax
    000B8E4B  40                inc eax
    000B8E4C  40                inc eax
    000B8E4D  40                inc eax
    000B8E4E  40                inc eax
    000B8E4F  40                inc eax
    000B8E50  40                inc eax
    000B8E51  40                inc eax
    000B8E52  40                inc eax
    000B8E53  40                inc eax
    000B8E54  40                inc eax
    000B8E55  40                inc eax
    000B8E56  40                inc eax
    000B8E57  40                inc eax
    000B8E58  40                inc eax
    000B8E59  40                inc eax
    000B8E5A  40                inc eax
    000B8E5B  40                inc eax
    000B8E5C  40                inc eax
    000B8E5D  40                inc eax
    000B8E5E  40                inc eax
    000B8E5F  40                inc eax
    000B8E60  40                inc eax
    000B8E61  40                inc eax
    000B8E62  40                inc eax
    000B8E63  40                inc eax
    000B8E64  40                inc eax
    000B8E65  40                inc eax
    000B8E66  40                inc eax
    000B8E67  40                inc eax
    000B8E68  40                inc eax
    000B8E69  40                inc eax
    000B8E6A  40                inc eax
    000B8E6B  40                inc eax
    000B8E6C  40                inc eax
    000B8E6D  40                inc eax
    000B8E6E  40                inc eax
    000B8E6F  40                inc eax
    000B8E70  40                inc eax
    000B8E71  40                inc eax
    000B8E72  40                inc eax
    000B8E73  40                inc eax
    000B8E74  40                inc eax
    000B8E75  40                inc eax
    000B8E76  40                inc eax
    000B8E77  40                inc eax
    000B8E78  40                inc eax
    000B8E79  40                inc eax
    000B8E7A  40                inc eax
    000B8E7B  40                inc eax
    000B8E7C  40                inc eax
    000B8E7D  40                inc eax
    000B8E7E  40                inc eax
    000B8E7F  40                inc eax
    000B8E80  40                inc eax
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.apple.com/DTDs/PropertyList-1.0.dtd In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)