Malicious Office (OLE) / .BIN — malware analysis report

Static analysis result for SHA-256 dc54e339ab27ff40…

MALICIOUS

Office (OLE) / .BIN

754.7 KB Created: 2003-07-13 10:04:24 Authoring application: Microsoft Excel First seen: 2020-01-07
MD5: 68664f224d98b8a8043ce15fd019d745 SHA-1: 18c64d6dd04f8059c72866667365603ab0f6baa6 SHA-256: dc54e339ab27ff406f4ab5aa26abe328856fd020fd762c5b596866d46fe9bb9f
742 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1105 Ingress Tool Transfer T1055 Process Injection

The sample is an OLE file containing an embedded PE executable and exhibits numerous high-severity heuristic firings related to shellcode execution, including references to WinExec, CreateProcess, ShellExecute, URLDownloadToFile, WriteProcessMemory, and CreateRemoteThread. The presence of an embedded executable and these API calls strongly suggests the file is designed to download and execute a secondary payload. The document body explicitly states 'This is an Antivirus Bait file', which is a common tactic used by malware authors to test detection capabilities.

Heuristics 17

  • ClamAV: Win.Malware.Ausiv-9940816-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Ausiv-9940816-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x0C bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'or' is 64% of instructions — a sled or padding/filler run, not program logic).
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 772,773 bytes but its declared streams total only 12,288 bytes — 760,485 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nirsoft.net/articles/saved_password_location.html In document text (OLE body)
    • http://www.nirsoft.net/utils/internet_explorer_password.htmlIn document text (OLE body)
    • http://www.mozilla.org/MPL/In document text (OLE body)
    • http://www.json.org/In document text (OLE body)
    • http://www.json.org/json.jsIn document text (OLE body)
    • http://www.w3.org/1999/XMLSchemaIn document text (OLE body)
    • http://schemas.microsoft.com/Schemas/AspWebControlsIn document text (OLE body)
    • http://schemas.microsoft.com/Schemas/VisualStudio/HTMLIn document text (OLE body)
    • http://www.nirsoft.net/articles/saved_password_location.htmlremIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0008caa5.exe embedded-pe Office MZ+PE at offset 0x8CAA5 196608 bytes
SHA-256: 356435a04096260169f56b48593ecfc39bf22430554b21af34858839d59b6405
Detection
ClamAV: Win.Malware.Ausiv-9940816-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C, SC_STR_CREATEPROCESS, SC_STR_SHELLEXEC Static shellcode analysis recovered API/import strings: CreateProcessA, CreateRemoteThread, URLDownloadToFileA, LoadLibraryA, LoadLibraryW, VirtualAlloc Static shellcode analysis recovered command string(s): CmdLine->%s"

Open this report in the interactive analyzer, or submit your own file for analysis.