MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file is an Excel document exhibiting characteristics of a malicious macro-enabled file, including an appended payload and XOR-encoded strings. The VBA macros, though appearing empty of executable statements, are likely used to deobfuscate and execute the appended payload, which is a common technique for downloading and running further malicious content. The presence of VirtualAlloc API calls suggests memory manipulation for payload execution.
Heuristics 5
-
XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess�', 'CreateFileA�', 'CreateFileW�'
Disassembly
Attempted x86 opcode disassembly00010BFD 99 cdq 00010BFE bbaa8eacb1 mov ebx, 0xb1ac8eaa 00010C03 bd9fbabaac mov ebp, 0xacbaba9f 00010C08 bbadadde99 mov ebx, 0x99deadad 00010C0D bbaa8abbb3 mov ebx, 0xb3bb8aaa 00010C12 ae scasb al, byte ptr es:[edi] 00010C13 8e .byte 0x8e 00010C14 bfaab69fde mov edi, 0xde9fb6aa 00010C19 9d popfd 00010C1A ac lodsb al, byte ptr [esi] 00010C1B bbbfaabb98 mov ebx, 0x98bbaabf 00010C20 b7b2 mov bh, 0xb2 00010C22 bb9fde99bb mov ebx, 0xbb99de9f 00010C27 aa stosb byte ptr es:[edi], al 00010C28 98 cwde 00010C29 b7b2 mov bh, 0xb2 00010C2B bb8db7a4bb mov ebx, 0xbba4b78d 00010C30 de8dbbaa98b7 fimul word ptr [ebp - 0x48675545] 00010C36 b2bb mov dl, 0xbb 00010C38 8e .byte 0x8e 00010C39 b1b7 mov cl, 0xb7 00010C3B b0aa mov al, 0xaa 00010C3D bbacde8cbb mov ebx, 0xbb8cdeac 00010C42 bfba98b7b2 mov edi, 0xb2b798ba 00010C47 bbde89acb7 mov ebx, 0xb7ac89de 00010C4C aa stosb byte ptr es:[edi], al 00010C4D bb98b7b2bb mov ebx, 0xbbb2b798 00010C52 de9db2b1adbb ficomp word ptr [ebp - 0x44524e4e] 00010C58 96 xchg esi, eax 00010C59 bf .byte 0xbf 00010C5A b0ba mov al, 0xba 00010C5C b2 .byte 0xb2
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 445,209 bytes but its declared streams total only 240,528 bytes — 204,681 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 606 bytes |
SHA-256: 481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.