MALICIOUS
80
Risk Score
Malware Insights
The sample exhibits high-severity heuristic firings related to PEB access and API hash resolution, indicating anti-analysis techniques. These techniques are commonly employed by various malware families to obscure their behavior and evade detection. No document body or script content was available for further analysis, limiting the ability to determine a specific attack pattern or family.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00024A6B 648b4030 mov eax, dword ptr fs:[eax + 0x30] 00024A6F 8b400c mov eax, dword ptr [eax + 0xc] 00024A72 8b701c mov esi, dword ptr [eax + 0x1c] 00024A75 ad lodsd eax, dword ptr [esi] 00024A76 8b6808 mov ebp, dword ptr [eax + 8] 00024A79 51 push ecx 00024A7A 56 push esi 00024A7B 57 push edi 00024A7C 8b453c mov eax, dword ptr [ebp + 0x3c] 00024A7F 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 00024A84 03d5 add edx, ebp 00024A86 52 push edx 00024A87 8b5220 mov edx, dword ptr [edx + 0x20] 00024A8A 03d5 add edx, ebp 00024A8C 33c0 xor eax, eax 00024A8E 33c9 xor ecx, ecx 00024A90 41 inc ecx 00024A91 8b348a mov esi, dword ptr [edx + ecx*4] 00024A94 03f5 add esi, ebp 00024A96 33ff xor edi, edi 00024A98 c1cf0d ror edi, 0xd 00024A9B ac lodsb al, byte ptr [esi] 00024A9C 03f8 add edi, eax 00024A9E 85c0 test eax, eax 00024AA0 75f6 jne 0x24a98 00024AA2 3bfb cmp edi, ebx 00024AA4 75ea jne 0x24a90 00024AA6 5a pop edx 00024AA7 8b5a24 mov ebx, dword ptr [edx + 0x24] 00024AAA 03dd add ebx, ebp 00024AAC 668b0c4b mov cx, word ptr [ebx + ecx*2] 00024AB0 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00024AB3 03dd add ebx, ebp 00024AB5 8b048b mov eax, dword ptr [ebx + ecx*4] 00024AB8 03c5 add eax, ebp 00024ABA 5f pop edi 00024ABB 5e pop esi 00024ABC 59 pop ecx 00024ABD 83f901 cmp ecx, 1 00024AC0 7408 je 0x24aca 00024AC2 8bff mov edi, edi 00024AC4 55 push ebp 00024AC5 8bec mov ebp, esp 00024AC7 83c005 add eax, 5 00024ACA ff .byte 0xff
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
Attempted x86 opcode disassembly00024A6B 648b4030 mov eax, dword ptr fs:[eax + 0x30] 00024A6F 8b400c mov eax, dword ptr [eax + 0xc] 00024A72 8b701c mov esi, dword ptr [eax + 0x1c] 00024A75 ad lodsd eax, dword ptr [esi] 00024A76 8b6808 mov ebp, dword ptr [eax + 8] 00024A79 51 push ecx 00024A7A 56 push esi 00024A7B 57 push edi 00024A7C 8b453c mov eax, dword ptr [ebp + 0x3c] 00024A7F 368b542878 mov edx, dword ptr ss:[eax + ebp + 0x78] 00024A84 03d5 add edx, ebp 00024A86 52 push edx 00024A87 8b5220 mov edx, dword ptr [edx + 0x20] 00024A8A 03d5 add edx, ebp 00024A8C 33c0 xor eax, eax 00024A8E 33c9 xor ecx, ecx 00024A90 41 inc ecx 00024A91 8b348a mov esi, dword ptr [edx + ecx*4] 00024A94 03f5 add esi, ebp 00024A96 33ff xor edi, edi 00024A98 c1cf0d ror edi, 0xd 00024A9B ac lodsb al, byte ptr [esi] 00024A9C 03f8 add edi, eax 00024A9E 85c0 test eax, eax 00024AA0 75f6 jne 0x24a98 00024AA2 3bfb cmp edi, ebx 00024AA4 75ea jne 0x24a90 00024AA6 5a pop edx 00024AA7 8b5a24 mov ebx, dword ptr [edx + 0x24] 00024AAA 03dd add ebx, ebp 00024AAC 668b0c4b mov cx, word ptr [ebx + ecx*2] 00024AB0 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00024AB3 03dd add ebx, ebp 00024AB5 8b048b mov eax, dword ptr [ebx + ecx*4] 00024AB8 03c5 add eax, ebp 00024ABA 5f pop edi 00024ABB 5e pop esi 00024ABC 59 pop ecx 00024ABD 83f901 cmp ecx, 1 00024AC0 7408 je 0x24aca 00024AC2 8bff mov edi, edi 00024AC4 55 push ebp 00024AC5 8bec mov ebp, esp 00024AC7 83c005 add eax, 5 00024ACA ff .byte 0xff
Open this report in the interactive analyzer, or submit your own file for analysis.