Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ee0b1f317363bc86…

MALICIOUS

Office (OLE)

255.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-09-19
MD5: 5875878bec752eb6bbdc455de37fe090 SHA-1: 1a8e815ff5b09bc6c392821c4ae6a3397b58260e SHA-256: ee0b1f317363bc86339ab68c4d022e7c5498d6ae27943ae4ac922ba88aff741b
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical CVE-2009-3129 heuristic indicates that this Excel file exploits a heap overflow vulnerability to achieve code execution. The suspicious cmd.exe invocation suggests a follow-on action, likely downloading and executing a payload. The embedded URLs, although mostly benign or malformed, point towards potential command and control infrastructure.

Heuristics 5

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00000D0F  64a130000000      mov eax, dword ptr fs:[0x30]
    00000D15  90                nop
    00000D16  8b400c            mov eax, dword ptr [eax + 0xc]
    00000D19  90                nop
    00000D1A  8b701c            mov esi, dword ptr [eax + 0x1c]
    00000D1D  ad                lodsd eax, dword ptr [esi]
    00000D1E  8b7008            mov esi, dword ptr [eax + 8]
    00000D21  90                nop
    00000D22  e98b020000        jmp 0xfb2
    00000D27  58                pop eax
    00000D28  90                nop
    00000D29  81ec00020000      sub esp, 0x200
    00000D2F  8bfc              mov edi, esp
    00000D31  897708            mov dword ptr [edi + 8], esi
    00000D34  894710            mov dword ptr [edi + 0x10], eax
    00000D37  ff7708            push dword ptr [edi + 8]
    00000D3A  68ec97030c        push 0xc0397ec
    00000D3F  e81a020000        call 0xf5e
    00000D44  89471c            mov dword ptr [edi + 0x1c], eax
    00000D47  ff7708            push dword ptr [edi + 8]
    00000D4A  68f622b97c        push 0x7cb922f6
    00000D4F  e80a020000        call 0xf5e
    00000D54  90                nop
    00000D55  894720            mov dword ptr [edi + 0x20], eax
    00000D58  ff7708            push dword ptr [edi + 8]
    00000D5B  68a517007c        push 0x7c0017a5
    00000D60  e8f9010000        call 0xf5e
    00000D65  894724            mov dword ptr [edi + 0x24], eax
    00000D68  ff7708            push dword ptr [edi + 8]
    00000D6B  68                .byte 0x68
    00000D6C  fb                sti
    00000D6D  97                xchg edi, eax
    00000D6E  fd                std
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 261,182 bytes but its declared streams total only 24,565 bytes — 236,617 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com In document text (OLE body)
    • http://www.pdf-repair.com)/Producer(AdvancedIn document text (OLE body)
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)