Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb5102c5ef5ba7d3…

MALICIOUS

Office (OLE)

301.1 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-09-26
MD5: 67c02440f590c548903ce0ce784d2e30 SHA-1: 79d60ee32e7015f544d4bbc0c7329cab1fd8ce2a SHA-256: cb5102c5ef5ba7d3f982d97fab451cde18228b905fc428b1ee59cc94a1d91ae3
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document that exploits CVE-2012-1856, a vulnerability in MSComctlLib.Toolbar. This exploit allows for the execution of arbitrary code, likely to download and run a secondary payload. The presence of a NOP sled and XOR-encoded strings further indicates malicious intent.

Heuristics 5

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • XOR-encoded strings (key 0xC7) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xC7: 'kernel32.dll', 'KERNEL32.DLL', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessW', 'CreateProcessW'
    Disassembly
    Attempted x86 opcode disassembly
    00019A6C  ac                lodsb al, byte ptr [esi]
00019A6D  a2b5a9a2ab        mov byte ptr [0xaba2a9b5], al
00019A72  f4                hlt
00019A73  f5                cmc
00019A74  e9a3abab00        jmp 0xad461c
00019A79  0000              add byte ptr [eax], al
00019A7B  003f              add byte ptr [edi], bh
00019A7D  f5                cmc
00019A7E  8600              xchg byte ptr [eax], al
00019A80  33f5              xor esi, ebp
00019A82  8600              xchg byte ptr [eax], al
00019A84  37                aaa
00019A85  f5                cmc
00019A86  8600              xchg byte ptr [eax], al
00019A88  2bf5              sub esi, ebp
00019A8A  8600              xchg byte ptr [eax], al
00019A8C  23f5              and esi, ebp
00019A8E  8600              xchg byte ptr [eax], al
00019A90  0bf5              or esi, ebp
00019A92  8600              xchg byte ptr [eax], al
00019A94  7ff5              jg 0x19a8b
00019A96  8600              xchg byte ptr [eax], al
00019A98  6f                outsd dx, dword ptr [esi]
00019A99  f5                cmc
00019A9A  8600              xchg byte ptr [eax], al
00019A9C  27                daa
00019A9D  92                xchg edx, eax
00019A9E  8600              xchg byte ptr [eax], al
00019AA0  97                xchg edi, eax
00019AA1  828700b7828700    add byte ptr [edi - 0x787d4900], 0
00019AA8  8ca2b5a9a2ab      mov word ptr [edx - 0x545d564b], fs
00019AAE  f4                hlt
00019AAF  f5                cmc
00019AB0  e9a3abab00        jmp 0xad4658
00019AB5  0000              add byte ptr [eax], al
00019AB7  0084b5a2a6b3a2    add byte ptr [ebp + esi*4 - 0x5d4c595e], al
00019ABE  97                xchg edi, eax
00019ABF  b5a8              mov ch, 0xa8
00019AC1  a4                movsb byte ptr es:[edi], byte ptr [esi]
00019AC2  a2b4b49000        mov byte ptr [0x90b4b4], al
00019AC7  00e7              add bh, ah
00019AC9  00e8              add al, ch
00019ACB  00                .byte 0x00
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00002C50  90                nop
00002C51  90                nop
00002C52  90                nop
00002C53  90                nop
00002C54  90                nop
00002C55  90                nop
00002C56  90                nop
00002C57  90                nop
00002C58  90                nop
00002C59  90                nop
00002C5A  90                nop
00002C5B  90                nop
00002C5C  90                nop
00002C5D  90                nop
00002C5E  90                nop
00002C5F  90                nop
00002C60  90                nop
00002C61  90                nop
00002C62  90                nop
00002C63  90                nop
00002C64  90                nop
00002C65  90                nop
00002C66  90                nop
00002C67  90                nop
00002C68  0000              add byte ptr [eax], al
00002C6A  0000              add byte ptr [eax], al
00002C6C  0000              add byte ptr [eax], al
00002C6E  0000              add byte ptr [eax], al
00002C70  0000              add byte ptr [eax], al
00002C72  0000              add byte ptr [eax], al
00002C74  800000            add byte ptr [eax], 0
00002C77  800000            add byte ptr [eax], 0
00002C7A  008080008000      add byte ptr [eax + 0x800080], al
00002C80  0000              add byte ptr [eax], al
00002C82  800080            add byte ptr [eax], 0x80
00002C85  0080800000c0      add byte ptr [eax - 0x3fffff80], al
00002C8B  c0c000            rol al, 0
00002C8E  808080000000ff    add byte ptr [eax + 0x80], 0xff
00002C95  0000              add byte ptr [eax], al
00002C97  ff00              inc dword ptr [eax]
00002C99  0000              add byte ptr [eax], al
00002C9B  ff                .byte 0xff
00002C9C  ff00              inc dword ptr [eax]
00002C9E  ff00              inc dword ptr [eax]
00002CA0  0000              add byte ptr [eax], al
00002CA2  ff00              inc dword ptr [eax]
00002CA4  ff00              inc dword ptr [eax]
00002CA6  ff                .byte 0xff
00002CA7  ff00              inc dword ptr [eax]
00002CA9  00ff              add bh, bh
00002CAB  ff                .byte 0xff
00002CAC  ff00              inc dword ptr [eax]
00002CAE  ff                .byte 0xff
00002CAF  ff                .byte 0xff
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 308,304 bytes but its declared streams total only 20,824 bytes — 287,480 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.