Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab28849cf1eea4dc…

MALICIOUS

Office (OLE)

78.5 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word First seen: 2015-09-17
MD5: 29fd9dca7f9bee85017cf8d4f382f340 SHA-1: 9c345676bf43e0a1cb25530be8d684bbac80238b SHA-256: ab28849cf1eea4dc41f20950d380e45c863727f0caa8cd6cbd614efe7c30b14a
100 Risk Score

Malware Insights

The sample exhibits critical heuristics for XOR-encoded strings and a large amount of slack space within the OLE structure, indicating obfuscation and potential for hidden malicious content. The XOR key 0xA4 was identified, suggesting a method for hiding malicious commands or URLs. While no specific VBA or script content was directly extracted, these heuristics strongly suggest the document is designed to execute a secondary payload, likely via Visual Basic for Applications, hence the T1059.005 technique.

Heuristics 2

  • XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
    Disassembly
    Attempted x86 opcode disassembly
    00000889  e8cbc5c0e8        call 0xe8c0ce59
0000088E  cdc6              int 0xc6
00000890  d6                salc
00000891  c5                .byte 0xc5
00000892  d6                salc
00000893  dde5              fucom st(5)
00000895  a4                movsb byte ptr es:[edi], byte ptr [esi]
00000896  f35b              pop ebx
00000898  742d              je 0x8c7
0000089A  2108              and dword ptr [eax], ecx
0000089C  59                pop ecx
0000089D  5b                pop ebx
0000089E  5b                pop ebx
0000089F  c52f              lds ebp, ptr [edi]
000008A1  2110              and dword ptr [eax], edx
000008A3  59                pop ecx
000008A4  5b                pop ebx
000008A5  5b                pop ebx
000008A6  2d21f0595b        sub eax, 0x5b59f021
000008AB  5b                pop ebx
000008AC  2f                das
000008AD  2910              sub dword ptr [eax], edx
000008AF  59                pop ecx
000008B0  5b                pop ebx
000008B1  5b                pop ebx
000008B2  27                daa
000008B3  65b42d            mov ah, 0x2d
000008B6  29605a            sub dword ptr [eax + 0x5a], esp
000008B9  5b                pop ebx
000008BA  5b                pop ebx
000008BB  2f                das
000008BC  3110              xor dword ptr [eax], edx
000008BE  59                pop ecx
000008BF  5b                pop ebx
000008C0  5b                pop ebx
000008C1  27                daa
000008C2  66842d316c5a5b    test byte ptr [0x5b5a6c31], ch
000008C9  5b                pop ebx
000008CA  2f                das
000008CB  2110              and dword ptr [eax], edx
000008CD  59                pop ecx
000008CE  5b                pop ebx
000008CF  5b                pop ebx
000008D0  2f                das
000008D1  ec                in al, dx
000008D2  e22d              loop 0x901
000008D4  e97c2f3110        jmp 0x10313855
000008D9  59                pop ecx
000008DA  5b                pop ebx
000008DB  5b                pop ebx
000008DC  2f                das
000008DD  e6ee              out 0xee, al
000008DF  2de1782f29        sub eax, 0x292f78e1
000008E4  10595b            adc byte ptr [ecx + 0x5b], bl
000008E7  5b                pop ebx
000008E8  2f                das
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 80,385 bytes but its declared streams total only 20,635 bytes — 59,750 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.