Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eefcff559427ce4c…

MALICIOUS

Office (OLE)

425.0 KB First seen: 2015-09-24
MD5: 78496046ce95f9ef03740b7879d66240 SHA-1: 940abb1a32c5a12137e90a12f6ee509ada2f77c2 SHA-256: eefcff559427ce4c938b5bde13a2cec615ffeddf59de04fb1e3e125c133fc691
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or packed content. A critical heuristic identified XOR-encoded strings with a key of 0x12, commonly used to hide malicious payloads within VBA macros. Although the VBA project itself contains no executable statements, the presence of encoded strings points towards a downloader or dropper functionality, likely delivered via spearphishing.

Heuristics 3

  • XOR-encoded strings (key 0x12) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x12: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll'
    Disassembly
    Attempted x86 opcode disassembly
    00008FB0  7977              jns 0x9029
    00008FB2  60                pushal
    00008FB3  7c77              jl 0x902c
    00008FB5  7e21              jle 0x8fd8
    00008FB7  203c76            and byte ptr [esi + esi*2], bh
    00008FBA  7e7e              jle 0x903a
    00008FBC  1212              adc dl, byte ptr [edx]
    00008FBE  1212              adc dl, byte ptr [edx]
    00008FC0  55                push ebp
    00008FC1  7766              ja 0x9029
    00008FC3  5e                pop esi
    00008FC4  7d7c              jge 0x9042
    00008FC6  7542              jne 0x900a
    00008FC8  7366              jae 0x9030
    00008FCA  7a5c              jp 0x9028
    00008FCC  737f              jae 0x904d
    00008FCE  7753              ja 0x9023
    00008FD0  1212              adc dl, byte ptr [edx]
    00008FD2  1212              adc dl, byte ptr [edx]
    00008FD4  47                inc edi
    00008FD5  99                cdq
    00008FD6  fe                .byte 0xfe
    00008FD7  93                xchg ebx, eax
    00008FD8  d6                salc
    00008FD9  f2ec              in al, dx
    00008FDB  ed                in eax, dx
    00008FDC  ed                in eax, dx
    00008FDD  41                inc ecx
    00008FDE  44                inc esp
    00008FDF  9b                wait
    00008FE0  57                push edi
    00008FE1  ee                out dx, al
    00008FE2  7a17              jp 0x8ffb
    00008FE4  1312              adc edx, dword ptr [edx]
    00008FE6  129f97f1eced      adc bl, byte ptr [edi - 0x12130e69]
    00008FEC  ed                in eax, dx
    00008FED  42                inc edx
    00008FEE  7812              js 0x9002
    00008FF0  fa                cli
    00008FF1  6d                insd dword ptr es:[edi], dx
    00008FF2  d2ed              shr ch, cl
    00008FF4  ed                in eax, dx
    00008FF5  d457              aam 0x57
    00008FF7  fc                cld
    00008FF8  129f57ea427a      adc bl, byte ptr [edi + 0x7a42ea57]
    00008FFE  0b12              or edx, dword ptr [edx]
    00009000  1d1278127a        sbb eax, 0x7a127812
    00009005  fe4152            inc byte ptr [ecx + 0x52]
    00009008  127a13            adc bh, byte ptr [edx + 0x13]
    0000900B  1212              adc dl, byte ptr [edx]
    0000900D  92                xchg edx, eax
    0000900E  fa                cli
    0000900F  ab                stosd dword ptr es:[edi], eax
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 435,224 bytes but its declared streams total only 12,713 bytes — 422,511 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes
SHA-256: 951208b608f8616684e7f652db35c4e21fc13440c541a1e128fc5562ec7888f1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TreeView1, 1, 0, MSComctlLib, TreeView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True