Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd98cf1c2b3279d2…

MALICIOUS

Office (OLE)

548.5 KB Created: 2016-02-29 02:43:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 7b66999cee8874b56e02bd637ee993f4 SHA-1: 4a36424096bc518009b6cedff15554ce1fe2563f SHA-256: fd98cf1c2b3279d2977e92fa5da669b6aec2fae34c769aa4ffadc4a8d383e536
522 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File Execution: Malicious Script T1105 Ingress Tool Transfer

The sample is an Office document containing an OLE package that embeds a PE executable. Heuristics indicate this package is a script dropper designed to download and execute a payload. The document also contains lures related to clipboard commands and secret recovery, suggesting social engineering to trick the user into executing the embedded malicious content. The embedded PE executable and the script dropper functionality point towards a downloader or dropper malware.

Heuristics 13

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.usertrust.com0 Embedded OLE package script
    • https://secure.comodo.net/CPS0FEmbedded OLE package script
    • http://ocsp.comodoca.com0Embedded OLE package script
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://ocsp.thawte.com0In document text (OLE body)
    • http://www.chiark.greenend.org.uk/~sgtatham/putty/Embedded OLE package script
    • http://schemas.microsoft.com/SMI/2005/WindowsSettingsEmbedded OLE package script
    • http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
    • http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0wEmbedded OLE package script
    • http://crt.comodoca.com/COMODOSHA256CodeSigningCA.crt0$Embedded OLE package script
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://www.chiark.greenend.org.uk/~sgtatham/putty/0In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005267.exe embedded-pe Office MZ+PE at offset 0x5267 540569 bytes
SHA-256: bd23e46664d89f25e64da4fbc9f877085b4f76c90a1312ac634ae2570afa2d48
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1530433198/Ole10Native 531647 bytes
SHA-256: d631cea25e326505172555c00e6f6360d14c134a110ce2865707dfd82e0fb101
ole10native_00_putty.exe ole-package-payload OLE Ole10Native payload: ObjectPool/_1530433198/Ole10Native; display_name=putty.exe; full_path=C:\Users\User\AppData\Local\Temp\putty.exe; temp_path=; def_file= 531368 bytes
SHA-256: 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91

Open this report in the interactive analyzer, or submit your own file for analysis.