Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bda482c1041ae1e1…

MALICIOUS

Office (OLE)

169.0 KB Created: 2013-03-07 01:20:00 Authoring application: Microsoft Office Word First seen: 2015-09-30
MD5: a98e134cf13715b65d0e65d123b88fa0 SHA-1: c600f5dd0d9894ad1d873e1dd2e5cf8ad52515bf SHA-256: bda482c1041ae1e141fe5184228b6072f2d3f5349321fdc60d7463f8a6cd7608
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious Office document that exploits CVE-2012-0158 via the MSCOMctlLib.ListViewCtrl.2 ActiveX control. The XOR-encoded strings heuristic suggests obfuscation, likely to hide malicious payloads or commands. No specific family could be identified, and no network indicators were extracted.

Heuristics 2

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • XOR-encoded strings (key 0x5E) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x5E: 'shell32.dll', 'shlwapi.dll'
    Disassembly
    Attempted x86 opcode disassembly
    000061B4  2d363b3232        sub eax, 0x32323b36
000061B9  6d                insd dword ptr es:[edi], dx
000061BA  6c                insb byte ptr es:[edi], dx
000061BB  703a              jo 0x61f7
000061BD  3232              xor dh, byte ptr [edx]
000061BF  5e                pop esi
000061C0  7b1f              jnp 0x61e1
000061C2  0e                push cs
000061C3  0e                push cs
000061C4  1a1f              sbb bl, byte ptr [edi]
000061C6  0a1f              or bl, byte ptr [edi]
000061C8  7b5e              jnp 0x6228
000061CA  0229              add ch, byte ptr [ecx]
000061CC  37                aaa
000061CD  3029              xor byte ptr [ecx], ch
000061CF  312c3a            xor dword ptr [edx + edi], ebp
000061D2  703b              jo 0x620f
000061D4  263b5e3d          cmp ebx, dword ptr es:[esi + 0x3d]
000061D8  333a              xor edi, dword ptr [edx]
000061DA  7e71              jle 0x624d
000061DC  3d7e2d2a3f        cmp eax, 0x3f2a2d7e
000061E1  2c2a              sub al, 0x2a
000061E3  7e7c              jle 0x6261
000061E5  5e                pop esi
000061E6  0d31382a29        or eax, 0x292a3831
000061EB  3f                aas
000061EC  2c3b              sub al, 0x3b
000061EE  0213              add dl, byte ptr [ebx]
000061F0  37                aaa
000061F1  3d2c312d31        cmp eax, 0x312d312c
000061F6  382a              cmp byte ptr [edx], ch
000061F8  0211              add dl, byte ptr [ecx]
000061FA  3838              cmp byte ptr [eax], bh
000061FC  37                aaa
000061FD  3d3b026f6f        cmp eax, 0x6f6f023b
00006202  706e              jo 0x6272
00006204  0209              add cl, byte ptr [ecx]
00006206  312c3a            xor dword ptr [edx + edi], ebp
00006209  020c3b            add cl, byte ptr [ebx + edi]
0000620C  2d3732373b        sub eax, 0x3b373237
00006211  30                .byte 0x30
00006212  3d                .byte 0x3d
00006213  27                daa

Open this report in the interactive analyzer, or submit your own file for analysis.