Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e9e9acc36a6a71d2…

MALICIOUS

Office (OLE)

40.0 KB First seen: 2012-06-14
MD5: cae6153ab7d3723fbfb7507d3f8387dd SHA-1: bd3887880a25558ce510e8b48a8d07a863baa535 SHA-256: e9e9acc36a6a71d2c2ada0b7258f7bf8ed7961ede8f68c5a094a50dc78cbc607
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic AUTOOPEN macro, indicating an attempt to execute malicious code upon opening. The document body discusses Dial-Up Networking scripting, likely a lure to trick users into enabling macros. The presence of XOR-encoded strings and a ClamAV detection for Win.Worm.Kamar-1 further supports its malicious nature.

Heuristics 3

  • ClamAV: Win.Worm.Kamar-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Kamar-1
  • XOR-encoded strings (key 0x4F) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x4F: 'ExitProcess'
    Disassembly
    Attempted x86 opcode disassembly
    00009C9A  0a37              or dh, byte ptr [edi]
00009C9C  263b1f            cmp ebx, dword ptr es:[edi]
00009C9F  3d202c2a3c        cmp eax, 0x3c2a2c20
00009CA4  3c4f              cmp al, 0x4f
00009CA6  4f                dec edi
00009CA7  4f                dec edi
00009CA8  0320              add esp, dword ptr [eax]
00009CAA  2c2e              sub al, 0x2e
00009CAC  230e              and ecx, dword ptr [esi]
00009CAE  2323              and esp, dword ptr [ebx]
00009CB0  202c4f            and byte ptr [edi + ecx*2], ch
00009CB3  4f                dec edi
00009CB4  4f                dec edi
00009CB5  4f                dec edi
00009CB6  082a              or byte ptr [edx], ch
00009CB8  3b02              cmp eax, dword ptr [edx]
00009CBA  202b              and byte ptr [ebx], ch
00009CBC  3a23              cmp ah, byte ptr [ebx]
00009CBE  2a07              sub al, byte ptr [edi]
00009CC0  2e212b            and dword ptr cs:[ebx], ebp
00009CC3  232a              and ebp, dword ptr [edx]
00009CC5  0e                push cs
00009CC6  4f                dec edi
00009CC7  4f                dec edi
00009CC8  4f                dec edi
00009CC9  4f                dec edi
00009CCA  1f                pop ds
00009CCB  203c3b            and byte ptr [ebx + edi], bh
00009CCE  1e                push ds
00009CCF  3a26              cmp ah, byte ptr [esi]
00009CD1  3b02              cmp eax, dword ptr [edx]
00009CD3  2a3c3c            sub bh, byte ptr [esp + edi]
00009CD6  2e282a            sub byte ptr cs:[edx], ch
00009CD9  4f                dec edi
00009CDA  4f                dec edi
00009CDB  4f                dec edi
00009CDC  0b2a              or ebp, dword ptr [edx]
00009CDE  2918              sub dword ptr [eax], ebx
00009CE0  26212b            and dword ptr es:[ebx], ebp
00009CE3  2038              and byte ptr [eax], bh
00009CE5  1f                pop ds
00009CE6  3d202c0e4f        cmp eax, 0x4f0e2c20
00009CEB  4f                dec edi
00009CEC  4f                dec edi
00009CED  4f                dec edi
00009CEE  0c3d              or al, 0x3d
00009CF0  2a2e              sub ch, byte ptr [esi]
00009CF2  3b2a              cmp ebp, dword ptr [edx]
00009CF4  1826              sbb byte ptr [esi], ah
00009CF6  212b              and dword ptr [ebx], ebp
00009CF8  2038              and byte ptr [eax], bh
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.