MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The ClamAV detection explicitly identifies this file as Osx.Trojan.CVE_2009_0563-4, indicating it exploits a known vulnerability. The presence of a NOP sled and GetPC stub further suggests shellcode execution, consistent with exploitation. The OLE slack anomaly points to potential obfuscation or embedded malicious content.
Heuristics 5
-
ClamAV: Osx.Trojan.CVE_2009_0563-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Osx.Trojan.CVE_2009_0563-4
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00001046 90 nop 00001047 90 nop 00001048 90 nop 00001049 90 nop 0000104A 90 nop 0000104B 90 nop 0000104C 90 nop 0000104D 90 nop 0000104E 90 nop 0000104F 90 nop 00001050 90 nop 00001051 90 nop 00001052 90 nop 00001053 90 nop 00001054 90 nop 00001055 90 nop 00001056 90 nop 00001057 90 nop 00001058 90 nop 00001059 90 nop 0000105A 90 nop 0000105B 90 nop 0000105C 90 nop 0000105D 90 nop 0000105E 90 nop 0000105F 90 nop 00001060 90 nop 00001061 90 nop 00001062 90 nop 00001063 90 nop 00001064 90 nop 00001065 90 nop 00001066 90 nop 00001067 90 nop 00001068 90 nop 00001069 90 nop 0000106A 90 nop 0000106B 90 nop 0000106C 90 nop 0000106D 90 nop 0000106E 90 nop 0000106F 90 nop 00001070 90 nop 00001071 90 nop 00001072 90 nop 00001073 90 nop 00001074 90 nop 00001075 90 nop 00001076 90 nop 00001077 90 nop 00001078 90 nop 00001079 90 nop 0000107A 90 nop 0000107B 90 nop 0000107C 90 nop 0000107D 90 nop 0000107E 90 nop 0000107F 0909 or dword ptr [ecx], ecx 00001081 0909 or dword ptr [ecx], ecx 00001083 099090909090 or dword ptr [eax - 0x6f6f6f70], edx 00001089 90 nop 0000108A 90 nop 0000108B 90 nop 0000108C 90 nop 0000108D 90 nop 0000108E 90 nop 0000108F 90 nop 00001090 90 nop 00001091 90 nop 00001092 90 nop 00001093 90 nop 00001094 10f0 adc al, dh 00001096 e38f jecxz 0x1027 00001098 0000 add byte ptr [eax], al 0000109A 0000 add byte ptr [eax], al 0000109C 0000 add byte ptr [eax], al 0000109E 0000 add byte ptr [eax], al 000010A0 0000 add byte ptr [eax], al 000010A2 0000 add byte ptr [eax], al 000010A4 0000 add byte ptr [eax], al
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00008AFE e800000000 call 0x8b03 00008B03 58 pop eax 00008B04 ffb03b5b0000 push dword ptr [eax + 0x5b3b] 00008B0A 8b80eb830000 mov eax, dword ptr [eax + 0x83eb] 00008B10 ffe0 jmp eax 00008B12 e800000000 call 0x8b17 00008B17 58 pop eax 00008B18 8b80db830000 mov eax, dword ptr [eax + 0x83db] 00008B1E ffe0 jmp eax 00008B20 55 push ebp 00008B21 89e5 mov ebp, esp 00008B23 57 push edi 00008B24 56 push esi 00008B25 53 push ebx 00008B26 83ec04 sub esp, 4 00008B29 817d10c0000000 cmp dword ptr [ebp + 0x10], 0xc0 00008B30 7426 je 0x8b58 00008B32 817d1000010000 cmp dword ptr [ebp + 0x10], 0x100 00008B39 7428 je 0x8b63 00008B3B 817d1080000000 cmp dword ptr [ebp + 0x10], 0x80 00008B42 b801000000 mov eax, 1 00008B47 0f85ee030000 jne 0x8f3b 00008B4D 8b4508 mov eax, dword ptr [ebp + 8] 00008B50 c7000a000000 mov dword ptr [eax], 0xa 00008B56 eb14 jmp 0x8b6c 00008B58 8b7d08 mov edi, dword ptr [ebp + 8] 00008B5B c7 .byte 0xc7 00008B5C 07 pop es 00008B5D 0c .byte 0x0c
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 162,042 bytes but its declared streams total only 22,878 bytes — 139,164 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.