Osx.Trojan.CVE_2009_0563-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 c391a6cf6eb71332…

MALICIOUS

Office (OLE)

185.2 KB Created: 2010-08-22 10:37:00 Authoring application: Microsoft Office Word First seen: 2015-09-15
MD5: 0da957b9b952420241f945a9a2c52a50 SHA-1: 444e82cdf74d5371c97c6080c32f1b0bd84d5069 SHA-256: c391a6cf6eb713320f7e03f7cce6b93103fdd11a6253c39983f619b16e4339b4
182 Risk Score

Malware Insights

Osx.Trojan.CVE_2009_0563-4 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified by ClamAV as Osx.Trojan.CVE_2009_0563-4, indicating it exploits a known vulnerability. Heuristics for NOP sleds and GetPC stubs suggest shellcode execution, and the large slack space in the OLE structure is anomalous. These factors combined point to a malicious document designed to execute arbitrary code, likely to download a further stage.

Heuristics 5

  • ClamAV: Osx.Trojan.CVE_2009_0563-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Osx.Trojan.CVE_2009_0563-4
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00001046  90                nop
    00001047  90                nop
    00001048  90                nop
    00001049  90                nop
    0000104A  90                nop
    0000104B  90                nop
    0000104C  90                nop
    0000104D  90                nop
    0000104E  90                nop
    0000104F  90                nop
    00001050  90                nop
    00001051  90                nop
    00001052  90                nop
    00001053  90                nop
    00001054  90                nop
    00001055  90                nop
    00001056  90                nop
    00001057  90                nop
    00001058  90                nop
    00001059  90                nop
    0000105A  90                nop
    0000105B  90                nop
    0000105C  90                nop
    0000105D  90                nop
    0000105E  90                nop
    0000105F  90                nop
    00001060  90                nop
    00001061  90                nop
    00001062  90                nop
    00001063  90                nop
    00001064  90                nop
    00001065  90                nop
    00001066  90                nop
    00001067  90                nop
    00001068  90                nop
    00001069  90                nop
    0000106A  90                nop
    0000106B  90                nop
    0000106C  90                nop
    0000106D  90                nop
    0000106E  90                nop
    0000106F  90                nop
    00001070  90                nop
    00001071  90                nop
    00001072  90                nop
    00001073  90                nop
    00001074  90                nop
    00001075  90                nop
    00001076  90                nop
    00001077  90                nop
    00001078  90                nop
    00001079  90                nop
    0000107A  90                nop
    0000107B  90                nop
    0000107C  90                nop
    0000107D  90                nop
    0000107E  90                nop
    0000107F  0909              or dword ptr [ecx], ecx
    00001081  0909              or dword ptr [ecx], ecx
    00001083  099090909090      or dword ptr [eax - 0x6f6f6f70], edx
    00001089  90                nop
    0000108A  90                nop
    0000108B  90                nop
    0000108C  90                nop
    0000108D  90                nop
    0000108E  90                nop
    0000108F  90                nop
    00001090  90                nop
    00001091  90                nop
    00001092  90                nop
    00001093  90                nop
    00001094  10f0              adc al, dh
    00001096  e38f              jecxz 0x1027
    00001098  0000              add byte ptr [eax], al
    0000109A  0000              add byte ptr [eax], al
    0000109C  0000              add byte ptr [eax], al
    0000109E  0000              add byte ptr [eax], al
    000010A0  0000              add byte ptr [eax], al
    000010A2  0000              add byte ptr [eax], al
    000010A4  0000              add byte ptr [eax], al
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    0000891E  e800000000        call 0x8923
    00008923  58                pop eax
    00008924  ffb01b5d0000      push dword ptr [eax + 0x5d1b]
    0000892A  8b80cb850000      mov eax, dword ptr [eax + 0x85cb]
    00008930  ffe0              jmp eax
    00008932  e800000000        call 0x8937
    00008937  58                pop eax
    00008938  8b80bb850000      mov eax, dword ptr [eax + 0x85bb]
    0000893E  ffe0              jmp eax
    00008940  55                push ebp
    00008941  89e5              mov ebp, esp
    00008943  57                push edi
    00008944  56                push esi
    00008945  53                push ebx
    00008946  83ec04            sub esp, 4
    00008949  817d10c0000000    cmp dword ptr [ebp + 0x10], 0xc0
    00008950  7426              je 0x8978
    00008952  817d1000010000    cmp dword ptr [ebp + 0x10], 0x100
    00008959  7428              je 0x8983
    0000895B  817d1080000000    cmp dword ptr [ebp + 0x10], 0x80
    00008962  b801000000        mov eax, 1
    00008967  0f85ee030000      jne 0x8d5b
    0000896D  8b4508            mov eax, dword ptr [ebp + 8]
    00008970  c7000a000000      mov dword ptr [eax], 0xa
    00008976  eb14              jmp 0x898c
    00008978  8b7d08            mov edi, dword ptr [ebp + 8]
    0000897B  c7                .byte 0xc7
    0000897C  07                pop es
    0000897D  0c                .byte 0x0c
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 189,674 bytes but its declared streams total only 22,878 bytes — 166,796 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)