Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c956f9e90fff2917…

MALICIOUS

Office (OLE)

80.3 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 08a70cbc507ebe594cffb524a97b8134 SHA-1: 74a728f04d7f24944c6024b506ffe2fc2197fc9d SHA-256: c956f9e90fff29173feaff4708b058b7ab235299bf846529221d7ecbee045168
128 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Win.Exploit.13525-1, indicating it exploits a known vulnerability. Static analysis detected XOR-encoded strings, a common obfuscation technique used by malware. While VBA macros were present, they contained no executable statements, suggesting the exploit is likely embedded directly within the OLE structure rather than being triggered by macro code.

Heuristics 3

  • ClamAV: Win.Exploit.13525-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.13525-1
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
    Disassembly
    Attempted x86 opcode disassembly
    00013C75  b390              mov bl, 0x90
    00013C77  9e                sahf
    00013C78  9b                wait
    00013C79  b396              mov bl, 0x96
    00013C7B  9d                popfd
    00013C7C  8d9e8d86beff      lea ebx, [esi - 0x417973]
    00013C82  ff                .byte 0xff
    00013C83  ffa9968d8b8a      jmp ptr [ecx - 0x7574726a]
    00013C89  9e                sahf
    00013C8A  93                xchg ebx, eax
    00013C8B  af                scasd eax, dword ptr es:[edi]
    00013C8C  8d908b9a9c8b      lea edx, [eax - 0x74636575]
    00013C92  ff06              inc dword ptr [esi]
    00013C94  fe                .byte 0xfe
    00013C95  ff                .byte 0xff
    00013C96  ffd0              call eax
    00013C98  fc                cld
    00013C99  ff                .byte 0xff
    00013C9A  ffa9968d8b8a      jmp ptr [ecx - 0x7574726a]
    00013CA0  9e                sahf
    00013CA1  93                xchg ebx, eax
    00013CA2  be9393909c        mov esi, 0x9c909393
    00013CA7  ff                .byte 0xff
    00013CA8  ff                .byte 0xff
    00013CA9  ff                .byte 0xff
    00013CAA  ff                .byte 0xff
    00013CAB  ff                .byte 0xff
    00013CAC  ff                .byte 0xff
    00013CAD  ff                .byte 0xff
    00013CAE  ff                .byte 0xff
    00013CAF  ff                .byte 0xff
    00013CB0  ff                .byte 0xff
    00013CB1  ff                .byte 0xff
    00013CB2  ff                .byte 0xff
    00013CB3  ff                .byte 0xff
    00013CB4  ff                .byte 0xff
    00013CB5  ff                .byte 0xff
    00013CB6  ff                .byte 0xff
    00013CB7  ff                .byte 0xff
    00013CB8  ff                .byte 0xff
    00013CB9  ff                .byte 0xff
    00013CBA  ff                .byte 0xff
    00013CBB  ff                .byte 0xff
    00013CBC  ff                .byte 0xff
    00013CBD  ff                .byte 0xff
    00013CBE  ff                .byte 0xff
    00013CBF  ff                .byte 0xff
    00013CC0  ff                .byte 0xff
    00013CC1  ff                .byte 0xff
    00013CC2  ff                .byte 0xff
    00013CC3  ff                .byte 0xff
    00013CC4  fe                .byte 0xfe
    00013CC5  ff                .byte 0xff
    00013CC6  ff                .byte 0xff
    00013CC7  ff                .byte 0xff
    00013CC8  3dfeffffa2        cmp eax, 0xa2fffffe
    00013CCD  7e12              jle 0x13ce1
    00013CCF  fa                cli
    00013CD0  ff                .byte 0xff
    00013CD1  ff                .byte 0xff
    00013CD2  ff728a            push dword ptr [edx - 0x76]
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 286 bytes
SHA-256: 7771bf99b1125ee0f87040a7dc7c1fa89eec2186bbf4ab3e822c8d665693af47
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True