Office (OLE) malware analysis — malicious · c36c3cdcc2da563b

MALICIOUS

Office (OLE)

124.2 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: ad9aec36edce727a0b717220bed35b0f SHA-1: f974d0169744688169d7df8d32c6ba7ad38e6244 SHA-256: c36c3cdcc2da563ba902a6f459ae6b46ae94bdb411f9f5ef8e4c8812a5f736d4

208 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Win.Exploit.13525-1, indicating it exploits a known vulnerability. Heuristics reveal an appended executable payload and XOR-encoded strings, suggesting the document is a dropper for further malicious activity. Although VBA macros are present, they contain no executable statements, implying the exploit is likely embedded directly within the OLE structure.

Heuristics 5

ClamAV: Win.Exploit.13525-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.13525-1

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualProtect', 'VirtualProtect'

Disassembly

Attempted x86 opcode disassembly

00014075  b390              mov bl, 0x90
00014077  9e                sahf
00014078  9b                wait
00014079  b396              mov bl, 0x96
0001407B  9d                popfd
0001407C  8d9e8d86beff      lea ebx, [esi - 0x417973]
00014082  ff                .byte 0xff
00014083  ffa9968d8b8a      jmp ptr [ecx - 0x7574726a]
00014089  9e                sahf
0001408A  93                xchg ebx, eax
0001408B  af                scasd eax, dword ptr es:[edi]
0001408C  8d908b9a9c8b      lea edx, [eax - 0x74636575]
00014092  ff                .byte 0xff
00014093  fe                .byte 0xfe
00014094  fd                std
00014095  ff                .byte 0xff
00014096  ffa0f9ffffa9      jmp dword ptr [eax - 0x56000007]
0001409C  96                xchg esi, eax
0001409D  8d8b8a9e93be      lea ecx, [ebx - 0x416c6176]
000140A3  93                xchg ebx, eax
000140A4  93                xchg ebx, eax
000140A5  90                nop
000140A6  9c                pushfd
000140A7  ff                .byte 0xff
000140A8  ff                .byte 0xff
000140A9  ff                .byte 0xff
000140AA  ff                .byte 0xff
000140AB  ff                .byte 0xff
000140AC  ff                .byte 0xff
000140AD  ff                .byte 0xff
000140AE  ff                .byte 0xff
000140AF  ff                .byte 0xff
000140B0  ff                .byte 0xff
000140B1  ff                .byte 0xff
000140B2  ff                .byte 0xff
000140B3  ff                .byte 0xff
000140B4  ff                .byte 0xff
000140B5  ff                .byte 0xff
000140B6  ff                .byte 0xff
000140B7  ff                .byte 0xff
000140B8  ff                .byte 0xff
000140B9  ff                .byte 0xff
000140BA  ff                .byte 0xff
000140BB  ff                .byte 0xff
000140BC  ff                .byte 0xff
000140BD  ff                .byte 0xff
000140BE  ff                .byte 0xff
000140BF  ff                .byte 0xff
000140C0  ff                .byte 0xff
000140C1  ff                .byte 0xff
000140C2  ff                .byte 0xff
000140C3  ff                .byte 0xff
000140C4  ff                .byte 0xff
000140C5  ff                .byte 0xff
000140C6  ff                .byte 0xff
000140C7  ff                .byte 0xff
000140C8  ff                .byte 0xff
000140C9  ff                .byte 0xff
000140CA  ff                .byte 0xff
000140CB  ff09              dec dword ptr [ecx]
000140CD  f5                cmc
000140CE  ff                .byte 0xff
000140CF  ff6efc            jmp ptr [esi - 4]
000140D2  ff                .byte 0xff
000140D3  ff                .byte 0xff
000140D4  a2                .byte 0xa2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 127,158 bytes but its declared streams total only 54,248 bytes — 72,910 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 286 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	286 bytes
SHA-256: `7771bf99b1125ee0f87040a7dc7c1fa89eec2186bbf4ab3e822c8d665693af47`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True

SHA-256: 7771bf99b1125ee0f87040a7dc7c1fa89eec2186bbf4ab3e822c8d665693af47

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.