Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ca84d8e6bda4f9fe…

MALICIOUS

Office (OLE)

921.5 KB Created: 2008-01-27 01:25:33 Authoring application: Microsoft PowerPoint First seen: 2019-01-12
MD5: fba7cd323465558b5d261f78749ee4a5 SHA-1: 098cb41aad864e5953c2ca5b10060c0fefd9b899 SHA-256: ca84d8e6bda4f9fe88c6d59db398644c856c7e115994e028cf0fac9e3e1d70be
510 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious PowerPoint file containing an embedded PE executable and VBA macros. The VBA macro attempts to launch an Excel application and run a specific macro, indicating a multi-stage attack. The critical heuristic 'PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD' points to exploitation of CVE-2011-1269 / MS11-036, which is used to execute the embedded payload. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader for further malicious activity.

Heuristics 14

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xlApp = CreateObject("Excel.Application")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ibsensoftware.com/ In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes
SHA-256: 7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub AutoOpen()
'Parametre [Fichier PPT] [Nom de la macro]
c = Command()
cl = InStr(c, " ")
c1 = Left(c, cl - 1)
c2 = Right(c, Len(c) - cl)
Dim a As New PowerPoint.Application
a.WindowState = ppWindowMaximized
a.Visible = True
a.Presentations.Open c1
a.Run (c1 & "!" & c2)
Set a = Nothing


End Sub

Dim xlApp As excel.Application
Dim xlBook As excel.workbook

Sub test()

    'lancer le fichier excel
    Set xlApp = CreateObject("Excel.Application")
    Set xlBook = xlApp.workbooks.Open("chemin_du_fichier.xls")
    xlApp.Visible = True
    
End Sub

Sub valid()

    'lancer valider de excel
    xlApp.Run "feuil2.valider"

End Sub

Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
embedded_office_0000aca4.exe embedded-pe Office MZ+PE at offset 0xACA4 899420 bytes
SHA-256: 6f0db0364e9413218104658ebf1a94971acec88b65afa8e44bcb33277d5bf9d3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd.exe /k, CMD

Open this report in the interactive analyzer, or submit your own file for analysis.