Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d4ef34ac4b71d922…

MALICIOUS

Office (OLE)

108.6 KB Created: 2012-11-23 04:35:00 Authoring application: Microsoft Office Word First seen: 2015-09-29
MD5: a19ea8af5b4cc2b74cd872a6c2f082d0 SHA-1: 6c75f4fbb0b160cd43d622d043cf92d798fd7ad5 SHA-256: d4ef34ac4b71d922ca0f7eefa2ff0e7c1dcd874339e4917680107fcf0220baf6
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document that exploits CVE-2012-1856, a vulnerability in MSComctlLib.Toolbar. This exploit allows for the execution of arbitrary code, likely to download and run a secondary payload. The presence of a NOP sled and XOR-encoded strings further indicates malicious intent.

Heuristics 5

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • XOR-encoded strings (key 0xC7) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xC7: 'kernel32.dll', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    Attempted x86 opcode disassembly
    0000EC00  ac                lodsb al, byte ptr [esi]
0000EC01  a2b5a9a2ab        mov byte ptr [0xaba2a9b5], al
0000EC06  f4                hlt
0000EC07  f5                cmc
0000EC08  e9a3abab00        jmp 0xac97b0
0000EC0D  0000              add byte ptr [eax], al
0000EC0F  00a600a300a8      add byte ptr [esi - 0x57ff5d00], ah
0000EC15  00a500a200f6      add byte ptr [ebp - 0x9ff5e00], ah
0000EC1B  00f4              add ah, dh
0000EC1D  00e9              add cl, ch
0000EC1F  00f7              add bh, dh
0000EC21  0000              add byte ptr [eax], al
0000EC23  0000              add byte ptr [eax], al
0000EC25  0000              add byte ptr [eax], al
0000EC27  0000              add byte ptr [eax], al
0000EC29  0000              add byte ptr [eax], al
0000EC2B  00b000a800b5      add byte ptr [eax - 0x4aff5800], dh
0000EC31  00ab00a30000      add byte ptr [ebx + 0xa300], ch
0000EC37  00af00a200ab      add byte ptr [edi - 0x54ff5e00], ch
0000EC3D  00ab00a80000      add byte ptr [ebx + 0xa800], ch
0000EC43  00ad00a200b5      add byte ptr [ebp - 0x4aff5e00], ch
0000EC49  00b500be0000      add byte ptr [ebp + 0xbe00], dh
0000EC4F  00b300a800aa      add byte ptr [ebx - 0x55ff5800], dh
0000EC55  0000              add byte ptr [eax], al
0000EC57  00b400a600a900    add byte ptr [eax + eax + 0xa900a6], dh
0000EC5E  a3                .byte 0xa3
0000EC5F  00                .byte 0x00
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00002C50  90                nop
00002C51  90                nop
00002C52  90                nop
00002C53  90                nop
00002C54  90                nop
00002C55  90                nop
00002C56  90                nop
00002C57  90                nop
00002C58  90                nop
00002C59  90                nop
00002C5A  90                nop
00002C5B  90                nop
00002C5C  90                nop
00002C5D  90                nop
00002C5E  90                nop
00002C5F  90                nop
00002C60  90                nop
00002C61  90                nop
00002C62  90                nop
00002C63  90                nop
00002C64  90                nop
00002C65  90                nop
00002C66  90                nop
00002C67  90                nop
00002C68  0000              add byte ptr [eax], al
00002C6A  0000              add byte ptr [eax], al
00002C6C  0000              add byte ptr [eax], al
00002C6E  0000              add byte ptr [eax], al
00002C70  0000              add byte ptr [eax], al
00002C72  0000              add byte ptr [eax], al
00002C74  800000            add byte ptr [eax], 0
00002C77  800000            add byte ptr [eax], 0
00002C7A  008080008000      add byte ptr [eax + 0x800080], al
00002C80  0000              add byte ptr [eax], al
00002C82  800080            add byte ptr [eax], 0x80
00002C85  0080800000c0      add byte ptr [eax - 0x3fffff80], al
00002C8B  c0c000            rol al, 0
00002C8E  808080000000ff    add byte ptr [eax + 0x80], 0xff
00002C95  0000              add byte ptr [eax], al
00002C97  ff00              inc dword ptr [eax]
00002C99  0000              add byte ptr [eax], al
00002C9B  ff                .byte 0xff
00002C9C  ff00              inc dword ptr [eax]
00002C9E  ff00              inc dword ptr [eax]
00002CA0  0000              add byte ptr [eax], al
00002CA2  ff00              inc dword ptr [eax]
00002CA4  ff00              inc dword ptr [eax]
00002CA6  ff                .byte 0xff
00002CA7  ff00              inc dword ptr [eax]
00002CA9  00ff              add bh, bh
00002CAB  ff                .byte 0xff
00002CAC  ff00              inc dword ptr [eax]
00002CAE  ff                .byte 0xff
00002CAF  ff                .byte 0xff
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 111,184 bytes but its declared streams total only 20,824 bytes — 90,360 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.