Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dd34552b0abf1346…

MALICIOUS

Office (OLE)

168.5 KB Created: 2013-06-22 01:03:45 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 5495fa296f6a14a7d56e4415e8fa0e3e SHA-1: 1e0f34fc6e434067f552f19985182182ab9a99fc SHA-256: dd34552b0abf13461740d14b0204860f4971beeaf02785451eb1f4258c506033
720 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is an Office document containing an embedded OLE package that acts as a dropper for a Windows executable. Heuristics indicate the use of APIs like CreateProcess, ShellExecute, WriteProcessMemory, and CreateRemoteThread, suggesting the dropped executable is designed to run and potentially perform malicious actions. The embedded executable is detected by ClamAV as Win.Spyware.Zbot-1275, a known spyware family.

Heuristics 15

  • ClamAV: Win.Spyware.Zbot-1275 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Spyware.Zbot-1275
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.969) — 13/13 branch targets land on an instruction boundary (100% coherence)
    0001415D  648b1530000000    mov edx, dword ptr fs:[0x30]
    00014164  8b520c            mov edx, dword ptr [edx + 0xc]
    00014167  8b5214            mov edx, dword ptr [edx + 0x14]
    0001416A  8b7228            mov esi, dword ptr [edx + 0x28]
    0001416D  b918000000        mov ecx, 0x18
    00014172  33ff              xor edi, edi
    00014174  33c0              xor eax, eax
    00014176  ac                lodsb al, byte ptr [esi]
    00014177  3c61              cmp al, 0x61
    00014179  7c02              jl 0x1417d
    0001417B  2c20              sub al, 0x20
    0001417D  c1cf0d            ror edi, 0xd
    00014180  03f8              add edi, eax
    00014182  e2f0              loop 0x14174
    00014184  81ff5bbc4a6a      cmp edi, 0x6a4abc5b
    0001418A  8b4210            mov eax, dword ptr [edx + 0x10]
    0001418D  8b12              mov edx, dword ptr [edx]
    0001418F  75d9              jne 0x1416a
    00014191  5f                pop edi
    00014192  5e                pop esi
    00014193  c3                ret
    00014194  53                push ebx
    00014195  8bd8              mov ebx, eax
    00014197  83e301            and ebx, 1
    0001419A  7510              jne 0x141ac
    0001419C  e85b380000        call 0x179fc
    000141A1  84c0              test al, al
    000141A3  7407              je 0x141ac
    000141A5  830de037420001    or dword ptr [0x4237e0], 1
    000141AC  56                push esi
    000141AD  57                push edi
    000141AE  bf24384200        mov edi, 0x423824
    000141B3  be18384200        mov esi, 0x423818
    000141B8  e8cf550000        call 0x1978c
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.969) — 13/13 branch targets land on an instruction boundary (100% coherence)
    0001415D  648b1530000000    mov edx, dword ptr fs:[0x30]
    00014164  8b520c            mov edx, dword ptr [edx + 0xc]
    00014167  8b5214            mov edx, dword ptr [edx + 0x14]
    0001416A  8b7228            mov esi, dword ptr [edx + 0x28]
    0001416D  b918000000        mov ecx, 0x18
    00014172  33ff              xor edi, edi
    00014174  33c0              xor eax, eax
    00014176  ac                lodsb al, byte ptr [esi]
    00014177  3c61              cmp al, 0x61
    00014179  7c02              jl 0x1417d
    0001417B  2c20              sub al, 0x20
    0001417D  c1cf0d            ror edi, 0xd
    00014180  03f8              add edi, eax
    00014182  e2f0              loop 0x14174
    00014184  81ff5bbc4a6a      cmp edi, 0x6a4abc5b
    0001418A  8b4210            mov eax, dword ptr [edx + 0x10]
    0001418D  8b12              mov edx, dword ptr [edx]
    0001418F  75d9              jne 0x1416a
    00014191  5f                pop edi
    00014192  5e                pop esi
    00014193  c3                ret
    00014194  53                push ebx
    00014195  8bd8              mov ebx, eax
    00014197  83e301            and ebx, 1
    0001419A  7510              jne 0x141ac
    0001419C  e85b380000        call 0x179fc
    000141A1  84c0              test al, al
    000141A3  7407              je 0x141ac
    000141A5  830de037420001    or dword ptr [0x4237e0], 1
    000141AC  56                push esi
    000141AD  57                push edi
    000141AE  bf24384200        mov edi, 0x423824
    000141B3  be18384200        mov esi, 0x423818
    000141B8  e8cf550000        call 0x1978c
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00000aa6.exe embedded-pe Office MZ+PE at offset 0xAA6 169818 bytes
SHA-256: 4c2189b9bebb20d05b5566932c2bc96e863d3e719a53cdf268f431eb80fea133
Detection
ClamAV: Win.Spyware.Zbot-1275
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0001B512/Ole10Native 144852 bytes
SHA-256: 307ac289d670ac6a4697ae3e67ca8cda1e1b61a8de85148844200da79b8d27e1
Detection
ClamAV: Win.Spyware.Zbot-1275
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess
ole10native_00_File_is_crashed_Please_double_click_here_to_reload_msexcel.exe ole-package-payload OLE Ole10Native payload: MBD0001B512/Ole10Native; display_name=File is crashed, Please double click here to reload msexcel.exe; full_path=C:\Users\Chenco\AppData\Local\Temp\chenco.exe; temp_path=; def_file= 144384 bytes
SHA-256: 6b839c4ff0fef88b4fc98cb59a62c742fb227d745daa624dd3f467390e3c979b
Detection
ClamAV: Win.Spyware.Zbot-1275
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess