MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing a NOP sled and exhibiting an OLE slack anomaly, indicating potential shellcode. It specifically targets CVE-2012-1856 in MSComctlLib.Toolbar.2, which is a known vulnerability for client execution. No specific malware family could be identified from the available evidence.
Heuristics 4
-
MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00002C50 90 nop 00002C51 90 nop 00002C52 90 nop 00002C53 90 nop 00002C54 90 nop 00002C55 90 nop 00002C56 90 nop 00002C57 90 nop 00002C58 90 nop 00002C59 90 nop 00002C5A 90 nop 00002C5B 90 nop 00002C5C 90 nop 00002C5D 90 nop 00002C5E 90 nop 00002C5F 90 nop 00002C60 90 nop 00002C61 90 nop 00002C62 90 nop 00002C63 90 nop 00002C64 90 nop 00002C65 90 nop 00002C66 90 nop 00002C67 90 nop 00002C68 0000 add byte ptr [eax], al 00002C6A 0000 add byte ptr [eax], al 00002C6C 0000 add byte ptr [eax], al 00002C6E 0000 add byte ptr [eax], al 00002C70 0000 add byte ptr [eax], al 00002C72 0000 add byte ptr [eax], al 00002C74 800000 add byte ptr [eax], 0 00002C77 800000 add byte ptr [eax], 0 00002C7A 008080008000 add byte ptr [eax + 0x800080], al 00002C80 0000 add byte ptr [eax], al 00002C82 800080 add byte ptr [eax], 0x80 00002C85 0080800000c0 add byte ptr [eax - 0x3fffff80], al 00002C8B c0c000 rol al, 0 00002C8E 808080000000ff add byte ptr [eax + 0x80], 0xff 00002C95 0000 add byte ptr [eax], al 00002C97 ff00 inc dword ptr [eax] 00002C99 0000 add byte ptr [eax], al 00002C9B ff .byte 0xff 00002C9C ff00 inc dword ptr [eax] 00002C9E ff00 inc dword ptr [eax] 00002CA0 0000 add byte ptr [eax], al 00002CA2 ff00 inc dword ptr [eax] 00002CA4 ff00 inc dword ptr [eax] 00002CA6 ff .byte 0xff 00002CA7 ff00 inc dword ptr [eax] 00002CA9 00ff add bh, bh 00002CAB ff .byte 0xff 00002CAC ff00 inc dword ptr [eax] 00002CAE ff .byte 0xff 00002CAF ff .byte 0xff
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 109,024 bytes but its declared streams total only 20,824 bytes — 88,200 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.