MALICIOUS
522
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
The sample contains an embedded PE executable and references to Windows APIs like CreateProcess, VirtualAlloc, and WriteProcessMemory, indicating it attempts to execute code. The XOR-encoded strings and embedded executable suggest obfuscation and a multi-stage attack. The embedded URLs are likely used to download additional malicious components.
Heuristics 11
-
ClamAV: Win.Malware.Barys-9946903-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Malware.Barys-9946903-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
XOR-encoded strings (key 0xC5) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC5: 'RegOpenKeyExA', 'ShellExecuteA'
Disassembly
Attempted x86 opcode disassembly0000D740 97 xchg edi, eax 0000D741 a0a28ab5a0 mov al, byte ptr [0xa0b58aa2] 0000D746 ab stosd dword ptr es:[edi], eax 0000D747 8ea0bc80bd84 mov fs, word ptr [eax - 0x7b427f44] 0000D74D 0084819384958c add byte ptr [ecx + eax*4 - 0x736a7b6d], al 0000D754 f6f7 div bh 0000D756 eba1 jmp 0xd6f9 0000D758 a9a90000b7 test eax, 0xb70000a9 0000D75D 0096ada0a9a9 add byte ptr [esi - 0x56565f53], dl 0000D763 80bda0a6b0b1a0 cmp byte ptr [ebp - 0x4e4f5960], 0xa0 0000D76A 8400 test byte ptr [eax], al 0000D76C 51 push ecx 0000D76D 0096b1b796b1 add byte ptr [esi - 0x4e69484f], dl 0000D773 b78c mov bh, 0x8c 0000D775 8400 test byte ptr [eax], al 0000D777 00968d808989 add byte ptr [esi - 0x76767f73], dl 0000D77D f6f7 div bh 0000D77F eba1 jmp 0xd722 0000D781 a9a900868a test eax, 0x8a8600a9 0000D786 88869189f6f7 mov byte ptr [esi - 0x809766f], al 0000D78C eba1 jmp 0xd72f 0000D78E a9a90000de test eax, 0xde0000a9 0000D793 0095a4b1ad83 add byte ptr [ebp - 0x7c524e5c], dl 0000D799 ac lodsb al, byte ptr [esi] 0000D79A a9a080bdac test eax, 0xacbd80a0 0000D79F b6 .byte 0xb6
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://banana.boolker.com/xin87842647df/lin.asp+http://banana.boolker.com/838483dfotp/lin.asp+http://green.boolker.com/po23924898df/lin.asp In document text (OLE body)
- http://banana.boolker.com/xin09923929mxd/lin.asp+http://green.boolker.com/po9819219mxd/lin.aspIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00001200.exe |
embedded-pe | Office MZ+PE at offset 0x1200 | 229376 bytes |
SHA-256: c6e9f764a9274d8e8a26ae2ba97a18d40b9d13feb3d346a34d958dc12bdead79 |
|||
|
Detection
ClamAV:
Win.Malware.Barys-9946903-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.