Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9e6dc7c103792282…

MALICIOUS

Office (OLE) / .DOC

1.50 MB Created: 2016-11-23 16:25:04 Authoring application: Windows Installer XML v2.0.3719.0 (candle/light)
MD5: ed6b1dbcfe666b77c4d19fbed8ec4aed SHA-1: 13050b3e66aab90f1154b3e35b6e4ae3b303b8a9 SHA-256: 9e6dc7c103792282dfb4f1dbc2b9357033756eda1ffb99554f397d4042e70dcc
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OLE document containing an embedded PE executable. Heuristics indicate the use of Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, suggesting the embedded executable is likely to be dropped and executed. The large slack space in the OLE structure is also anomalous. The document body content is not indicative of a specific lure, and no scripts were extracted.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,573,625 bytes but its declared streams total only 14,187 bytes — 1,559,438 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://microsoft.com0
    • http://www.techygeekshome.co.ukARPHELPLINKARPCONTACTEnables
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
    • http://www.microsoft.com/pki/certs/CSPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://office.microsoft.com
    • http://support.microsoft.com/?kbid=xxxxxxPSS10R.CHMERRORSUPPORTTEXT_RETAIL_DEFAULT_PROBLEM_PREIf
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    • http://go.microsoft.com/fwlink/?LinkId=131000[VSDNETURLMSG]VSDFXAvailableMSVBDPCADLLCheckFXDIRCA_CheckFXv4.0VSDFrameworkVersionClientVSDFrameworkProfileFalseVSDAllowLaterFrameworkVersionsVSDNETCFGVsdLaunchConditionsVSDCA_VsdLaunchConditionsNOT
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://www.iec.ch

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000b400.exe
22c044f2f4c65a2a45ffc2b67574990b52055760163bbf3847c5c838f4dc63d4		 embedded-pe Office MZ+PE at offset 0xB400 1527545 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.