MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an OLE document exhibiting a high-severity heap spray pattern and a large slack space anomaly, indicating potential malicious code injection. Although the VBA project contains no executable statements, the presence of the heap spray heuristic strongly suggests an attempt to exploit a vulnerability for code execution. The SHA256 hash is included as an IOC.
Heuristics 3
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x04 bytes found
Disassembly
Attempted x86 opcode disassembly0000F03F 0404 add al, 4 0000F041 0404 add al, 4 0000F043 0404 add al, 4 0000F045 0404 add al, 4 0000F047 0404 add al, 4 0000F049 0404 add al, 4 0000F04B 0404 add al, 4 0000F04D 0404 add al, 4 0000F04F 0404 add al, 4 0000F051 0404 add al, 4 0000F053 0404 add al, 4 0000F055 0404 add al, 4 0000F057 0404 add al, 4 0000F059 0404 add al, 4 0000F05B 0404 add al, 4 0000F05D 0404 add al, 4 0000F05F 0404 add al, 4 0000F061 0404 add al, 4 0000F063 0404 add al, 4 0000F065 0404 add al, 4 0000F067 0404 add al, 4 0000F069 0404 add al, 4 0000F06B 0404 add al, 4 0000F06D 0404 add al, 4 0000F06F 0404 add al, 4 0000F071 0404 add al, 4 0000F073 0404 add al, 4 0000F075 0404 add al, 4 0000F077 0404 add al, 4 0000F079 0404 add al, 4 0000F07B 0404 add al, 4 0000F07D 0404 add al, 4 0000F07F 0404 add al, 4 0000F081 0404 add al, 4 0000F083 0404 add al, 4 0000F085 0404 add al, 4 0000F087 0404 add al, 4 0000F089 0404 add al, 4 0000F08B 0404 add al, 4 0000F08D 0404 add al, 4 0000F08F 0404 add al, 4 0000F091 0404 add al, 4 0000F093 0404 add al, 4 0000F095 0404 add al, 4 0000F097 0404 add al, 4 0000F099 0404 add al, 4 0000F09B 0404 add al, 4 0000F09D 0404 add al, 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 131,088 bytes but its declared streams total only 43,229 bytes — 87,859 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1271 bytes |
SHA-256: 1393fb9c6c18f41eb0fa3c4533b46ef8e1670352e75321cc8504cd42cae698a3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView1, 1, 0, MSComctlLib, ListView"
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.