Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c1275ace9a9456f7…

MALICIOUS

Office (OLE)

106.5 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: afb84994be3bd95e1a75b64cf4da7290 SHA-1: 43fcead7ad5584cb2f034f93d8342ffabbdf76e9 SHA-256: c1275ace9a9456f7dd282b6b8ef903a420e5afc2902c51f61721a7ffca5001f1
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing a NOP sled and exhibiting an OLE slack anomaly, indicating potential shellcode. It specifically targets CVE-2012-1856 in MSComctlLib.Toolbar.2, which is a known vulnerability for client execution. No specific malware family could be identified from the available evidence.

Heuristics 4

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00002C50  90                nop
    00002C51  90                nop
    00002C52  90                nop
    00002C53  90                nop
    00002C54  90                nop
    00002C55  90                nop
    00002C56  90                nop
    00002C57  90                nop
    00002C58  90                nop
    00002C59  90                nop
    00002C5A  90                nop
    00002C5B  90                nop
    00002C5C  90                nop
    00002C5D  90                nop
    00002C5E  90                nop
    00002C5F  90                nop
    00002C60  90                nop
    00002C61  90                nop
    00002C62  90                nop
    00002C63  90                nop
    00002C64  90                nop
    00002C65  90                nop
    00002C66  90                nop
    00002C67  90                nop
    00002C68  0000              add byte ptr [eax], al
    00002C6A  0000              add byte ptr [eax], al
    00002C6C  0000              add byte ptr [eax], al
    00002C6E  0000              add byte ptr [eax], al
    00002C70  0000              add byte ptr [eax], al
    00002C72  0000              add byte ptr [eax], al
    00002C74  800000            add byte ptr [eax], 0
    00002C77  800000            add byte ptr [eax], 0
    00002C7A  008080008000      add byte ptr [eax + 0x800080], al
    00002C80  0000              add byte ptr [eax], al
    00002C82  800080            add byte ptr [eax], 0x80
    00002C85  0080800000c0      add byte ptr [eax - 0x3fffff80], al
    00002C8B  c0c000            rol al, 0
    00002C8E  808080000000ff    add byte ptr [eax + 0x80], 0xff
    00002C95  0000              add byte ptr [eax], al
    00002C97  ff00              inc dword ptr [eax]
    00002C99  0000              add byte ptr [eax], al
    00002C9B  ff                .byte 0xff
    00002C9C  ff00              inc dword ptr [eax]
    00002C9E  ff00              inc dword ptr [eax]
    00002CA0  0000              add byte ptr [eax], al
    00002CA2  ff00              inc dword ptr [eax]
    00002CA4  ff00              inc dword ptr [eax]
    00002CA6  ff                .byte 0xff
    00002CA7  ff00              inc dword ptr [eax]
    00002CA9  00ff              add bh, bh
    00002CAB  ff                .byte 0xff
    00002CAC  ff00              inc dword ptr [eax]
    00002CAE  ff                .byte 0xff
    00002CAF  ff                .byte 0xff
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 109,024 bytes but its declared streams total only 20,824 bytes — 88,200 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)