Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b82a99776064fc3b…

MALICIOUS

Office (OLE)

710.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2015-10-01
MD5: d2be87a6092ae2719368888412d37ad0 SHA-1: a6dd90eae8b4457bc700deb08576cb7f7e5e08f7 SHA-256: b82a99776064fc3b53267373bba532c7b8c9274609a7546668ee69a3b862afb9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious due to the exploitation of CVE-2006-3590, a vulnerability in PowerPoint's shape container. This indicates the file is designed to execute arbitrary code upon opening. No specific malware family could be identified, and no further IOCs were extracted.

Heuristics 2

  • CVE-2006-3590 — PowerPoint malformed shape container critical CVE exact CVE_2006_3590
    The PowerPoint record graph contains an Escher shape container with text properties but no matching ClientTextbox child. This is the OffVis-compatible structural trigger for the MS06-048 malformed shape-container vulnerability.
  • XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'RegOpenKeyExA'
    Disassembly
    Attempted x86 opcode disassembly
    00003A21  bd8a88a09f        mov ebp, 0x9fa0888a
    00003A26  8a81a48a96aa      mov al, byte ptr [ecx - 0x5569755c]
    00003A2C  97                xchg edi, eax
    00003A2D  ae                scasb al, byte ptr es:[edi]
    00003A2E  e2ef              loop 0x3a1f
    00003A30  ef                out dx, eax
    00003A31  ef                out dx, eax
    00003A32  bd8a88ab8a        mov ebp, 0x8aab888a
    00003A37  838a9b8aa48a96    or dword ptr [edx - 0x755b7565], 0xffffff96
    00003A3E  ae                scasb al, byte ptr es:[edi]
    00003A3F  e4ef              in al, 0xef
    00003A41  ef                out dx, eax
    00003A42  ef                out dx, eax
    00003A43  bd8a88ac83        mov ebp, 0x83ac888a
    00003A48  809c8aa48a96dbef  sbb byte ptr [edx + ecx*4 - 0x2469755c], 0xef
    00003A50  ef                out dx, eax
    00003A51  ef                out dx, eax
    00003A52  bc80899b98        mov esp, 0x989b8980
    00003A57  8e9d8ab3a286      mov ds, word ptr [ebp - 0x795d4c76]
    00003A5D  8c9d809c8089      mov word ptr [ebp - 0x767f6380], ds
    00003A63  9b                wait
    00003A64  b3a0              mov bl, 0xa0
    00003A66  8989868c8ab3      mov dword ptr [ecx - 0x4c75737a], ecx
    00003A6C  de                .byte 0xde
    00003A6D  dec1              faddp st(1)
    00003A6F  dfb3bf80988a      fbstp tbyte ptr [ebx - 0x75677f41]
    00003A75  9d                popfd
    00003A76  bf8086819b        mov edi, 0x9b818680
    00003A7B  b3bd              mov bl, 0xbd
    00003A7D  8a                .byte 0x8a
    00003A7E  9c                pushfd
    00003A7F  86                .byte 0x86
    00003A80  83                .byte 0x83