Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 be3732a9c34a6e97…

MALICIOUS

Office (OLE)

193.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0 First seen: 2012-07-06
MD5: 39c1779dd1dc99754a02149ed35ad45f SHA-1: e9d8d075f17f4226223ab07b6c9a5d4372c6c5fd SHA-256: be3732a9c34a6e97da06c071ceca13da56641ea3d192dd73461d3203bb355ac5
780 Risk Score

Heuristics 16

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • ClamAV: Win.Dropper.Agent-34304 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Agent-34304
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'crypt32.dll', 'shlwapi.dll', 'LoadLibraryA', 'GetProcAddress'
    Disassembly hidden — these bytes score as data, not coherent x86 code (1/2 branch targets land on an instruction boundary (50% coherence)).
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'mov' is 63% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.853) — 8/9 branch targets land on an instruction boundary (89% coherence)
    0001680F  64a130000000      mov eax, dword ptr fs:[0x30]
00016815  85c0              test eax, eax
00016817  780c              js 0x16825
00016819  8b400c            mov eax, dword ptr [eax + 0xc]
0001681C  8b701c            mov esi, dword ptr [eax + 0x1c]
0001681F  ad                lodsd eax, dword ptr [esi]
00016820  8b6808            mov ebp, dword ptr [eax + 8]
00016823  eb09              jmp 0x1682e
00016825  8b4034            mov eax, dword ptr [eax + 0x34]
00016828  8ba8b8000000      mov ebp, dword ptr [eax + 0xb8]
0001682E  8bc5              mov eax, ebp
00016830  5e                pop esi
00016831  5d                pop ebp
00016832  c20400            ret 4
00016835  53                push ebx
00016836  55                push ebp
00016837  56                push esi
00016838  57                push edi
00016839  8b6c2418          mov ebp, dword ptr [esp + 0x18]
0001683D  8b453c            mov eax, dword ptr [ebp + 0x3c]
00016840  8b540578          mov edx, dword ptr [ebp + eax + 0x78]
00016844  03d5              add edx, ebp
00016846  8b4a18            mov ecx, dword ptr [edx + 0x18]
00016849  8b5a20            mov ebx, dword ptr [edx + 0x20]
0001684C  03dd              add ebx, ebp
0001684E  e332              jecxz 0x16882
00016850  49                dec ecx
00016851  8b348b            mov esi, dword ptr [ebx + ecx*4]
00016854  03f5              add esi, ebp
00016856  33ff              xor edi, edi
00016858  fc                cld
00016859  33c0              xor eax, eax
0001685B  ac                lodsb al, byte ptr [esi]
0001685C  3ac4              cmp al, ah
0001685E  7407              je 0x16867
00016860  c1cf0d            ror edi, 0xd
00016863  03f8              add edi, eax
00016865  ebf2              jmp 0x16859
00016867  3b7c2414          cmp edi, dword ptr [esp + 0x14]
0001686B  75e1              jne 0x1684e
0001686D  8b                .byte 0x8b
0001686E  5a                pop edx
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.853) — 8/9 branch targets land on an instruction boundary (89% coherence)
    0001680F  64a130000000      mov eax, dword ptr fs:[0x30]
00016815  85c0              test eax, eax
00016817  780c              js 0x16825
00016819  8b400c            mov eax, dword ptr [eax + 0xc]
0001681C  8b701c            mov esi, dword ptr [eax + 0x1c]
0001681F  ad                lodsd eax, dword ptr [esi]
00016820  8b6808            mov ebp, dword ptr [eax + 8]
00016823  eb09              jmp 0x1682e
00016825  8b4034            mov eax, dword ptr [eax + 0x34]
00016828  8ba8b8000000      mov ebp, dword ptr [eax + 0xb8]
0001682E  8bc5              mov eax, ebp
00016830  5e                pop esi
00016831  5d                pop ebp
00016832  c20400            ret 4
00016835  53                push ebx
00016836  55                push ebp
00016837  56                push esi
00016838  57                push edi
00016839  8b6c2418          mov ebp, dword ptr [esp + 0x18]
0001683D  8b453c            mov eax, dword ptr [ebp + 0x3c]
00016840  8b540578          mov edx, dword ptr [ebp + eax + 0x78]
00016844  03d5              add edx, ebp
00016846  8b4a18            mov ecx, dword ptr [edx + 0x18]
00016849  8b5a20            mov ebx, dword ptr [edx + 0x20]
0001684C  03dd              add ebx, ebp
0001684E  e332              jecxz 0x16882
00016850  49                dec ecx
00016851  8b348b            mov esi, dword ptr [ebx + ecx*4]
00016854  03f5              add esi, ebp
00016856  33ff              xor edi, edi
00016858  fc                cld
00016859  33c0              xor eax, eax
0001685B  ac                lodsb al, byte ptr [esi]
0001685C  3ac4              cmp al, ah
0001685E  7407              je 0x16867
00016860  c1cf0d            ror edi, 0xd
00016863  03f8              add edi, eax
00016865  ebf2              jmp 0x16859
00016867  3b7c2414          cmp edi, dword ptr [esp + 0x14]
0001686B  75e1              jne 0x1684e
0001686D  8b                .byte 0x8b
0001686E  5a                pop edx
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 197,632 bytes but its declared streams total only 94,801 bytes — 102,831 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00018200.exe embedded-pe Office MZ+PE at offset 0x18200 98816 bytes
SHA-256: 94dfc4026bbb2d59dc0e8372c37af988809eb288be8f11a35bc50f19b0d67733
Detection
ClamAV: Win.Trojan.Clicker-1549
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.