Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b8c7a52b2e2defb9…

MALICIOUS

Office (OLE)

367.0 KB Created: 2011-04-04 06:50:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: d119949ccab296c4f4bc4338461cd960 SHA-1: de76fa523752eae63b81bc7817a3fd13b06122c9 SHA-256: b8c7a52b2e2defb93568c4356cc97f5b85503f5971ebf9a1895c2ab951c880a3
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious OLE document containing an embedded SWF (Flash) object, suggesting it's designed to exploit vulnerabilities within Flash or deliver a secondary payload. The presence of XOR-encoded strings and a large slack space with an appended payload further indicates malicious intent. While the embedded URL is benign, the overall structure points towards a downloader or exploit delivery mechanism, likely distributed via spearphishing.

Heuristics 5

  • XOR-encoded strings (key 0x85) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x85: 'GetProcAddress', 'VirtualProtect', 'ShellExecuteA'
    Disassembly
    Attempted x86 opcode disassembly
    0000B084  c2e0f1            ret 0xf1e0
    0000B087  d5f7              aad 0xf7
    0000B089  eae6c4e1e1f7e0    ljmp 0xe0f7:0xe1e1c4e6
    0000B090  f6f6              div dh
    0000B092  0000              add byte ptr [eax], al
    0000B094  e300              jecxz 0xb096
    0000B096  c0ebf1            shr bl, 0xf1
    0000B099  e0f7              loopne 0xb092
    0000B09B  c6                .byte 0xc6
    0000B09C  f7ec              imul esp
    0000B09E  f1                int1
    0000B09F  ec                in al, dx
    0000B0A0  e6e4              out 0xe4, al
    0000B0A2  e9d6e0e6f1        jmp 0xf1e7917d
    0000B0A7  ec                in al, dx
    0000B0A8  eaeb00004687d3    ljmp 0xd387:0x460000eb
    0000B0AF  ec                in al, dx
    0000B0B0  f7f1              div ecx
    0000B0B2  f0                .byte 0xf0
    0000B0B3  e4e9              in al, 0xe9
    0000B0B5  d5f7              aad 0xf7
    0000B0B7  eaf1e0e6f10000    ljmp 0:0xf1e6e0f1
    0000B0BE  2f                das
    0000B0BF  84cc              test ah, cl
    0000B0C1  ebec              jmp 0xb0af
    0000B0C3  f1                int1
    0000B0C4  ec                in al, dx
    0000B0C5  e4e9              in al, 0xe9
    0000B0C7  ec                in al, dx
    0000B0C8  ffe0              jmp eax
    0000B0CA  c6                .byte 0xc6
    0000B0CB  f7ec              imul esp
    0000B0CD  f1                int1
    0000B0CE  ec                in al, dx
    0000B0CF  e6e4              out 0xe4, al
    0000B0D1  e9d6e0e6f1        jmp 0xf1e791ac
    0000B0D6  ec                in al, dx
    0000B0D7  eaeb007200c2e0    ljmp 0xe0c2:0x7200eb
    0000B0DE  f1                int1
    0000B0DF  c6                .byte 0xc6
    0000B0E0  f0                .byte 0xf0
    0000B0E1  f7f7              div edi
    0000B0E3  e0                .byte 0xe0
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 375,786 bytes but its declared streams total only 22,169 bytes — 353,617 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin In document text (OLE body)