MALICIOUS
142
Risk Score
Malware Insights
The sample is an OLE document with significant slack space and XOR-encoded strings, suggesting obfuscation of malicious content. While the document body appears to be benign training material in Chinese, the presence of embedded URLs and the SC_GETPC_CALL heuristic indicate potential malicious activity. The SC_XOR_ENCODED heuristic is particularly concerning, as it often signifies packed or obfuscated malicious code.
Heuristics 4
-
XOR-encoded strings (key 0x55) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x55: 'kernel32.dll', 'kernel32.dll', 'comctl32.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryW'
Disassembly
Attempted x86 opcode disassembly00028D14 3e3027 xor byte ptr ds:[edi], ah 00028D17 3b30 cmp esi, dword ptr [eax] 00028D19 396667 cmp dword ptr [esi + 0x67], esp 00028D1C 7b31 jnp 0x28d4f 00028D1E 3939 cmp dword ptr [ecx], edi 00028D20 0000 add byte ptr [eax], al 00028D22 0000 add byte ptr [eax], al 00028D24 55 push ebp 00028D25 8bec mov ebp, esp 00028D27 83c4f8 add esp, -8 00028D2A 53 push ebx 00028D2B 33d2 xor edx, edx 00028D2D 8955f8 mov dword ptr [ebp - 8], edx 00028D30 8945fc mov dword ptr [ebp - 4], eax 00028D33 8b45fc mov eax, dword ptr [ebp - 4] 00028D36 e8f938f7ff call 0xfff9c634 00028D3B 33c0 xor eax, eax 00028D3D 55 push ebp 00028D3E 6880194900 push 0x491980 00028D43 64ff30 push dword ptr fs:[eax] 00028D46 648920 mov dword ptr fs:[eax], esp 00028D49 8d55f8 lea edx, [ebp - 8] 00028D4C 8b45fc mov eax, dword ptr [ebp - 4] 00028D4F e8e0ceffff call 0x25c34 00028D54 8b45f8 mov eax, dword ptr [ebp - 8] 00028D57 50 push eax 00028D58 e81bffffff call 0x28c78 00028D5D 5a pop edx 00028D5E e855d3ffff call 0x260b8 00028D63 8bd8 mov ebx, eax 00028D65 33c0 xor eax, eax 00028D67 5a pop edx 00028D68 59 pop ecx 00028D69 59 pop ecx 00028D6A 648910 mov dword ptr fs:[eax], edx 00028D6D 6887194900 push 0x491987 00028D72 8d .byte 0x8d 00028D73 45 inc ebp
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly000355BC e800000000 call 0x355c1 000355C1 58 pop eax 000355C2 2500f0ffff and eax, 0xfffff000 000355C7 e800000000 call 0x355cc 000355CC 0000 add byte ptr [eax], al 000355CE 0000 add byte ptr [eax], al 000355D0 ff .byte 0xff 000355D1 ff .byte 0xff 000355D2 ff .byte 0xff 000355D3 ff0a dec dword ptr [edx] 000355D5 0000 add byte ptr [eax], al 000355D7 0019 add byte ptr [ecx], bl 000355D9 3127 xor dword ptr [edi], esp 000355DB 193a sbb dword ptr [edx], edi 000355DD 3431 xor al, 0x31 000355DF 1139 adc dword ptr [ecx], edi 000355E1 3900 cmp dword ptr [eax], eax 000355E3 00ff add bh, bh 000355E5 ff .byte 0xff 000355E6 ff .byte 0xff 000355E7 ff0f dec dword ptr [edi] 000355E9 0000 add byte ptr [eax], al 000355EB 0019 add byte ptr [ecx], bl 000355ED 3127 xor dword ptr [edi], esp 000355EF 1230 adc dh, byte ptr [eax] 000355F1 2111 and dword ptr [ecx], edx 000355F3 3939 cmp dword ptr [ecx], edi 000355F5 1d343b3139 sbb eax, 0x39313b34 000355FA 3000 xor byte ptr [eax], al 000355FC ff .byte 0xff 000355FD ff .byte 0xff 000355FE ff .byte 0xff 000355FF ff07 inc dword ptr [edi] 00035601 0000 add byte ptr [eax], al 00035603 001b add byte ptr [ebx], bl 00035605 2116 and dword ptr [esi], edx 00035607 393a cmp dword ptr [edx], edi 00035609 263000 xor byte ptr es:[eax], al 0003560C ff .byte 0xff 0003560D ff .byte 0xff 0003560E ff .byte 0xff 0003560F ff13 call dword ptr [ebx] 00035611 0000 add byte ptr [eax], al 00035613 001b add byte ptr [ebx], bl 00035615 2113 and dword ptr [ebx], edx 00035617 27 daa 00035618 3030 xor byte ptr [eax], dh 0003561A 03 .byte 0x03 0003561B 3c .byte 0x3c
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 524,288 bytes but its declared streams total only 32,579 bytes — 491,709 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.url.com/ In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.