MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is an OLE document with detected VBA macros. The 'SC_XOR_ENCODED' heuristic suggests obfuscated strings within the macro, commonly used to hide malicious code. The 'OLE_SLACK_ANOMALY' heuristic indicates a large amount of unused space, which can also be used for obfuscation or to hide embedded content. The VBA macro itself is minimal, but the presence of obfuscated strings and the overall structure strongly suggest it's a downloader for a second-stage payload.
Heuristics 3
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress'
Disassembly
Attempted x86 opcode disassembly000056C5 94 xchg esp, eax 000056C6 9a8d919a93cccd lcall 0xcdcc, 0x939a918d 000056CD d19b9393ff70 rcr dword ptr [ebx + 0x70ff9393], 1 000056D3 ba0717f3ff mov edx, 0xfff31707 000056D8 ff .byte 0xff 000056D9 ff .byte 0xff 000056DA ba87968baf mov edx, 0xaf8b9687 000056DF 8d909c9a8c8c lea edx, [eax - 0x73736564] 000056E5 ff707a push dword ptr [eax + 0x7a] 000056E8 db00 fild dword ptr [eax] 000056EA 0000 add byte ptr [eax], al 000056EC 17 pop ss 000056ED f3 .byte 0xf3 000056EE ff .byte 0xff 000056EF ff .byte 0xff 000056F0 ff .byte 0xff 000056F1 bc8d9a9e8b mov esp, 0x8b9e9a8d 000056F6 9ab996939abeff lcall 0xffbe, 0x9a9396b9 000056FD 707a jo 0x5779 000056FF d7 xlatb 00005700 0000 add byte ptr [eax], al 00005702 0017 add byte ptr [edi], dl 00005704 ec in al, dx 00005705 ff .byte 0xff 00005706 ff .byte 0xff 00005707 ff .byte 0xff 00005708 bc8d9a9e8b mov esp, 0x8b9e9a8d 0000570D 9ab996939ab29e lcall 0x9eb2, 0x9a9396b9 00005714 8f .byte 0x8f 00005715 8f .byte 0x8f 00005716 96 xchg esi, eax 00005717 91 xchg ecx, eax 00005718 98 cwde 00005719 beff707ad3 mov esi, 0xd37a70ff 0000571E 0000 add byte ptr [eax], al 00005720 0017 add byte ptr [edi], dl 00005722 f1 int1 00005723 ff .byte 0xff 00005724 ff .byte 0xff
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 168,448 bytes but its declared streams total only 38,019 bytes — 130,429 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 493 bytes |
SHA-256: 1a9b5ef1661434a35ef2224a1a63d0428e37400d35e04dc698714138d7401e81 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Macro1() Attribute Macro1.VB_Description = "sdfsdf" Attribute Macro1.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Macro1" ' ' Macro1 Macro ' sdfsdf ' End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.