Well, there's your problem!
The file is NOT an executable, it's a relocatable.
Effectively, what you have there is an ELF object file. These are generated when a file is compiled by a compiler, but NOT linked into an executable.
So, assuming a single source file was used to create this, it would typically be generated by doing something like this:
So for a C program, compiled using gcc:
Bash:
gcc -c /path/to/somefile.c
Or for a C++ program compiled using g++:
Bash:
g++ -c /path/to/somefile.cpp
The
-c
flag tells gcc/g++ to compile the source file, but NOT to link it into an executable.
So the compiler will parse/validate the source code, once it's all been validated/compiled, it will be assembled during the assembly stage into a relocatable ELF object file.
So both of those examples would generate a relocatable ELF object-file called somefile.o
They're called relocatable, because the functions and variables are not bound to any fixed addresses, the objects are just symbols.
If you run the file through a linker - you can link it into an executable. The linker will assign addresses to the variables/symbols and functions in the object file.
Also, for executables - it will also provide a bootstrap that will load the main() function .
C, or C++ were just arbitrary examples, other compiled languages can be compiled to relocatables in a similar way. You could do this in assembly with NASM/TASM - compile to an object-file, without linking into an executable.
If you use
readelf
you should see a table of the symbols inside the file.
e.g.
Bash:
readelf --symbols /path/to/malwareSample
That will show you all of the symbols that are in the object file and you should see that all of the addresses/offsets are set to 00000000.
If it has a main() function listed - it means it could be linked as an executable - but you'd probably also need the original source file used to compile the malware sample in order to do so.
If it does not have a main function, then the object file is more likely intended to be linked as a shared-object (.so), which is a library file (a bit like a .dll in windows) - in which case another application would have to be compiled and linked, to use the malicious library, instead of some other genuine library. (I'm guessing!).
I hope this helps!
EDIT: I imagine that the reason the malware sample was distributed as an object file and not as a linked executable is probably because it's malware!