Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b70f7629b49282c6…

MALICIOUS

Office (OLE)

76.3 KB Created: 2005-02-17 14:33:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: b7f3465c676fa612e14e9a30ffeea645 SHA-1: 4a61f0d787764330fd69a9516190dfc81ba59454 SHA-256: b70f7629b49282c6080187e2542219ea5e2f534b444d888619d5c14f4712770a
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation. A VBA macro was extracted, though it contains no executable statements, suggesting it might be a decoy or part of a multi-stage attack. The document body contains text that appears to be a lure for a control image animator, and an embedded URL was found. The VBA macro is likely intended to be benign or a placeholder, with the primary malicious intent possibly residing in the embedded URL or further obfuscated code not readily apparent.

Heuristics 4

  • XOR-encoded strings (key 0x34) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x34: 'shell32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    0000148B  47                inc edi
    0000148C  5c                pop esp
    0000148D  51                push ecx
    0000148E  58                pop eax
    0000148F  58                pop eax
    00001490  07                pop es
    00001491  06                push es
    00001492  1a5058            sbb dl, byte ptr [eax + 0x58]
    00001495  58                pop eax
    00001496  3457              xor al, 0x57
    00001498  0e                push cs
    00001499  684a104051        push 0x5140104a
    0000149E  59                pop ecx
    0000149F  44                inc esp
    000014A0  1a505b            sbb dl, byte ptr [eax + 0x5b]
    000014A3  57                push edi
    000014A4  3464              xor al, 0x64
    000014A6  46                inc esi
    000014A7  5b                pop ebx
    000014A8  53                push ebx
    000014A9  59                pop ecx
    000014AA  55                push ebp
    000014AB  5a                pop edx
    000014AC  3464              xor al, 0x64
    000014AE  46                inc esi
    000014AF  5b                pop ebx
    000014B0  53                push ebx
    000014B1  46                inc esi
    000014B2  55                push ebp
    000014B3  59                pop ecx
    000014B4  1479              adc al, 0x79
    000014B6  55                push ebp
    000014B7  5a                pop edx
    000014B8  55                push ebp
    000014B9  53                push ebx
    000014BA  51                push ecx
    000014BB  46                inc esi
    000014BC  34cb              xor al, 0xcb
    000014BE  cb                retf
    000014BF  cb                retf
    000014C0  cb                retf
    000014C1  cb                retf
    000014C2  cb                retf
    000014C3  cb                retf
    000014C4  cb                retf
    000014C5  cb                retf
    000014C6  cb                retf
    000014C7  cb                retf
    000014C8  cb                retf
    000014C9  cb                retf
    000014CA  cb                retf
    000014CB  cb                retf
    000014CC  cb                retf
    000014CD  cb                retf
    000014CE  cb                retf
    000014CF  cb                retf
    000014D0  cb                retf
    000014D1  cb                retf
    000014D2  cb                retf
    000014D3  cb                retf
    000014D4  cb                retf
    000014D5  cb                retf
    000014D6  cb                retf
    000014D7  cb                retf
    000014D8  cb                retf
    000014D9  cb                retf
    000014DA  cb                retf
    000014DB  cb                retf
    000014DC  cb                retf
    000014DD  cb                retf
    000014DE  cb                retf
    000014DF  cb                retf
    000014E0  cb                retf
    000014E1  cb                retf
    000014E2  cb                retf
    000014E3  cb                retf
    000014E4  cb                retf
    000014E5  cb                retf
    000014E6  cb                retf
    000014E7  cb                retf
    000014E8  cb                retf
    000014E9  cb                retf
    000014EA  cb                retf
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 78,180 bytes but its declared streams total only 16,217 bytes — 61,963 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tibetanhealingfund.org In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 357 bytes
SHA-256: b6f68ae26b154c8b9cdd4f0fe9a495bf9751beb6d137b467ab3e92025836551b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "GifAnimator1, 0, 0, ImageOleLib, GifAnimator"