Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab8406a704dc5308…

MALICIOUS

Office (OLE)

1.00 MB Authoring application: Microsoft Excel First seen: 2015-09-23
MD5: 6ea7c74f911392dc4ffe28c59eb26887 SHA-1: aca6005346dc2114a3f3df10eb8bc31e16432286 SHA-256: ab8406a704dc53086b6cc63eb1308cfa1d8f05c4b2d18f867741d564984e61bd
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The file is an Excel document with a high slack space anomaly and contains VBA macros. Heuristics indicate XOR-encoded strings and the use of VirtualAlloc, suggesting obfuscated code intended to download and execute a payload. The VBA macros themselves contain no executable statements, but the presence of encoded strings and API calls points to a malicious intent, likely to download and execute a second-stage payload.

Heuristics 5

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
    Disassembly
    Attempted x86 opcode disassembly
    00010BFD  99                cdq
    00010BFE  bbaa8eacb1        mov ebx, 0xb1ac8eaa
    00010C03  bd9fbabaac        mov ebp, 0xacbaba9f
    00010C08  bbadadde99        mov ebx, 0x99deadad
    00010C0D  bbaa8abbb3        mov ebx, 0xb3bb8aaa
    00010C12  ae                scasb al, byte ptr es:[edi]
    00010C13  8e                .byte 0x8e
    00010C14  bfaab69fde        mov edi, 0xde9fb6aa
    00010C19  9d                popfd
    00010C1A  ac                lodsb al, byte ptr [esi]
    00010C1B  bbbfaabb98        mov ebx, 0x98bbaabf
    00010C20  b7b2              mov bh, 0xb2
    00010C22  bb9fde99bb        mov ebx, 0xbb99de9f
    00010C27  aa                stosb byte ptr es:[edi], al
    00010C28  98                cwde
    00010C29  b7b2              mov bh, 0xb2
    00010C2B  bb8db7a4bb        mov ebx, 0xbba4b78d
    00010C30  de8dbbaa98b7      fimul word ptr [ebp - 0x48675545]
    00010C36  b2bb              mov dl, 0xbb
    00010C38  8e                .byte 0x8e
    00010C39  b1b7              mov cl, 0xb7
    00010C3B  b0aa              mov al, 0xaa
    00010C3D  bbacde8cbb        mov ebx, 0xbb8cdeac
    00010C42  bfba98b7b2        mov edi, 0xb2b798ba
    00010C47  bbde89acb7        mov ebx, 0xb7ac89de
    00010C4C  aa                stosb byte ptr es:[edi], al
    00010C4D  bb98b7b2bb        mov ebx, 0xbbb2b798
    00010C52  de9db2b1adbb      ficomp word ptr [ebp - 0x44524e4e]
    00010C58  96                xchg esi, eax
    00010C59  bf                .byte 0xbf
    00010C5A  b0ba              mov al, 0xba
    00010C5C  b2                .byte 0xb2
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,050,741 bytes but its declared streams total only 240,528 bytes — 810,213 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00016D23  41                inc ecx
    00016D24  41                inc ecx
    00016D25  41                inc ecx
    00016D26  41                inc ecx
    00016D27  41                inc ecx
    00016D28  41                inc ecx
    00016D29  41                inc ecx
    00016D2A  41                inc ecx
    00016D2B  41                inc ecx
    00016D2C  41                inc ecx
    00016D2D  41                inc ecx
    00016D2E  41                inc ecx
    00016D2F  41                inc ecx
    00016D30  41                inc ecx
    00016D31  41                inc ecx
    00016D32  41                inc ecx
    00016D33  41                inc ecx
    00016D34  41                inc ecx
    00016D35  41                inc ecx
    00016D36  41                inc ecx
    00016D37  41                inc ecx
    00016D38  41                inc ecx
    00016D39  41                inc ecx
    00016D3A  41                inc ecx
    00016D3B  41                inc ecx
    00016D3C  41                inc ecx
    00016D3D  41                inc ecx
    00016D3E  41                inc ecx
    00016D3F  41                inc ecx
    00016D40  41                inc ecx
    00016D41  41                inc ecx
    00016D42  41                inc ecx
    00016D43  41                inc ecx
    00016D44  41                inc ecx
    00016D45  41                inc ecx
    00016D46  41                inc ecx
    00016D47  41                inc ecx
    00016D48  41                inc ecx
    00016D49  41                inc ecx
    00016D4A  41                inc ecx
    00016D4B  41                inc ecx
    00016D4C  41                inc ecx
    00016D4D  41                inc ecx
    00016D4E  41                inc ecx
    00016D4F  41                inc ecx
    00016D50  41                inc ecx
    00016D51  41                inc ecx
    00016D52  41                inc ecx
    00016D53  41                inc ecx
    00016D54  41                inc ecx
    00016D55  41                inc ecx
    00016D56  41                inc ecx
    00016D57  41                inc ecx
    00016D58  41                inc ecx
    00016D59  41                inc ecx
    00016D5A  41                inc ecx
    00016D5B  41                inc ecx
    00016D5C  41                inc ecx
    00016D5D  41                inc ecx
    00016D5E  41                inc ecx
    00016D5F  41                inc ecx
    00016D60  41                inc ecx
    00016D61  41                inc ecx
    00016D62  41                inc ecx
    00016D63  41                inc ecx
    00016D64  41                inc ecx
    00016D65  41                inc ecx
    00016D66  41                inc ecx
    00016D67  41                inc ecx
    00016D68  41                inc ecx
    00016D69  41                inc ecx
    00016D6A  41                inc ecx
    00016D6B  41                inc ecx
    00016D6C  41                inc ecx
    00016D6D  41                inc ecx
    00016D6E  41                inc ecx
    00016D6F  41                inc ecx
    00016D70  41                inc ecx
    00016D71  41                inc ecx
    00016D72  41                inc ecx
    00016D73  41                inc ecx
    00016D74  41                inc ecx
    00016D75  41                inc ecx
    00016D76  41                inc ecx
    00016D77  41                inc ecx
    00016D78  41                inc ecx
    00016D79  0101              add dword ptr [ecx], eax
    00016D7B  80800000000000    add byte ptr [eax], 0
    00016D82  00                .byte 0x00
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes
SHA-256: 481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True