Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aeaa989ad1bc3140…

MALICIOUS

Office (OLE)

415.0 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-09-24
MD5: 773cf918b0802bb5fefea0e2a9011890 SHA-1: cf397d105393734e1bf7f40045606b422df1c4a2 SHA-256: aeaa989ad1bc31408b3e2217eae8e3815b39c6bddf342a9ccf757d91cb4626db
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a malicious OLE document that exploits CVE-2012-1856, a vulnerability in MSComctlLib.Toolbar.2, to achieve code execution. The presence of a NOP sled and a GetPC stub further indicates an exploit attempt. The large slack space in the OLE structure is also a common characteristic of weaponized documents.

Heuristics 6

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • ClamAV: Win.Exploit.Fnstenv_mov-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.Fnstenv_mov-1
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00002C50  90                nop
00002C51  90                nop
00002C52  90                nop
00002C53  90                nop
00002C54  90                nop
00002C55  90                nop
00002C56  90                nop
00002C57  90                nop
00002C58  90                nop
00002C59  90                nop
00002C5A  90                nop
00002C5B  90                nop
00002C5C  90                nop
00002C5D  90                nop
00002C5E  90                nop
00002C5F  90                nop
00002C60  90                nop
00002C61  90                nop
00002C62  90                nop
00002C63  90                nop
00002C64  90                nop
00002C65  90                nop
00002C66  90                nop
00002C67  90                nop
00002C68  0000              add byte ptr [eax], al
00002C6A  0000              add byte ptr [eax], al
00002C6C  0000              add byte ptr [eax], al
00002C6E  0000              add byte ptr [eax], al
00002C70  0000              add byte ptr [eax], al
00002C72  0000              add byte ptr [eax], al
00002C74  800000            add byte ptr [eax], 0
00002C77  800000            add byte ptr [eax], 0
00002C7A  008080008000      add byte ptr [eax + 0x800080], al
00002C80  0000              add byte ptr [eax], al
00002C82  800080            add byte ptr [eax], 0x80
00002C85  0080800000c0      add byte ptr [eax - 0x3fffff80], al
00002C8B  c0c000            rol al, 0
00002C8E  808080000000ff    add byte ptr [eax + 0x80], 0xff
00002C95  0000              add byte ptr [eax], al
00002C97  ff00              inc dword ptr [eax]
00002C99  0000              add byte ptr [eax], al
00002C9B  ff                .byte 0xff
00002C9C  ff00              inc dword ptr [eax]
00002C9E  ff00              inc dword ptr [eax]
00002CA0  0000              add byte ptr [eax], al
00002CA2  ff00              inc dword ptr [eax]
00002CA4  ff00              inc dword ptr [eax]
00002CA6  ff                .byte 0xff
00002CA7  ff00              inc dword ptr [eax]
00002CA9  00ff              add bh, bh
00002CAB  ff                .byte 0xff
00002CAC  ff00              inc dword ptr [eax]
00002CAE  ff                .byte 0xff
00002CAF  ff                .byte 0xff
  • x86 GetPC stub (FSTENV) high SC_GETPC_FSTENV
    x86 GetPC stub (FSTENV)
    Disassembly
    Attempted x86 opcode disassembly
    00006E4A  d9ee              fldz
00006E4C  d97424f4          fnstenv [esp - 0xc]
00006E50  5b                pop ebx
00006E51  817313889756f4    xor dword ptr [ebx + 0x13], 0xf4569788
00006E58  83ebfc            sub ebx, -4
00006E5B  e2f4              loop 0x6e51
00006E5D  60                pushal
00006E5E  af                scasd eax, dword ptr es:[edi]
00006E5F  56                push esi
00006E60  f4                hlt
00006E61  883a              mov byte ptr [edx], bh
00006E63  cd89              int 0x89
00006E65  57                push edi
00006E66  3b5e2e            cmp ebx, dword ptr [esi + 0x2e]
00006E69  fe81330e987b      inc byte ptr [ecx + 0x7b980e33]
00006E6F  c1f784            sal edi, 0x84
00006E72  6c                insb byte ptr es:[edi], dx
00006E73  c10987            ror dword ptr [ecx], 0x87
00006E76  a4                movsb byte ptr es:[edi], byte ptr [esi]
00006E77  9c                pushfd
00006E78  7ed3              jle 0x6e4d
00006E7A  7d1f              jge 0x6e9b
00006E7C  7e60              jle 0x6ede
00006E7E  4e                dec esi
00006E7F  dc                .byte 0xdc
00006E80  d7                xlatb
00006E81  61                popal
00006E82  0fa8              push gs
00006E84  7e86              jle 0x6e0c
00006E86  e725              out 0x25, eax
00006E88  1bbe61744df4      sbb edi, dword ptr [esi - 0xbb28b9f]
00006E8E  e98e16fb93        jmp 0x93fb8521
00006E93  1f                pop ds
00006E94  c6                .byte 0xc6
00006E95  5b                pop ebx
00006E96  882f              mov byte ptr [edi], ch
00006E98  fe                .byte 0xfe
00006E99  60                pushal
00006E9A  cc                int3
00006E9B  037d6d            add edi, dword ptr [ebp + 0x6d]
00006E9E  16                push ss
00006E9F  babc8a9756        mov edx, 0x56978abc
00006EA4  7dd5              jge 0x6e7b
00006EA6  6b3cc4d1          imul edi, dword ptr [esp + eax*8], -0x2f
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 425,000 bytes but its declared streams total only 20,824 bytes — 404,176 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.