MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is detected as a dropper by ClamAV. While the VBA macros themselves contain no executable statements, the document body contains a hyperlink to 'http://www.us.army.mil/' presented as Hurricane Katrina information. This suggests a social engineering lure to trick the user into clicking the link, which likely leads to a malicious download.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-1501878 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1501878
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess�'
Disassembly
Attempted x86 opcode disassembly00008654 b4ba mov ah, 0xba 00008656 ad lodsd eax, dword ptr [esi] 00008657 b1ba mov cl, 0xba 00008659 b3cc mov bl, 0xcc 0000865B cdd1 int 0xd1 0000865D bbb3b3ffbc mov ebx, 0xbcffb3b3 00008662 ad lodsd eax, dword ptr [esi] 00008663 ab stosd dword ptr es:[edi], eax 00008664 bbb3b3d1bb mov ebx, 0xbbd1b3b3 00008669 b3b3 mov bl, 0xb3 0000866B ff .byte 0xff 0000866C ff .byte 0xff 0000866D ffb3909e9bb3 push dword ptr [ebx - 0x4c646170] 00008673 96 xchg esi, eax 00008674 9d popfd 00008675 8d9e8d86beff lea ebx, [esi - 0x417973] 0000867B ff .byte 0xff 0000867C b89a8baf8d mov eax, 0x8daf8b9a 00008681 90 nop 00008682 9c pushfd 00008683 be9b9b8d9a mov esi, 0x9a8d9b9b 00008688 8c8cffffba8796 mov word ptr [edi + edi*8 - 0x69784501], cs 0000868F 8baf8d909c9a mov ebp, dword ptr [edi - 0x65636f73] 00008695 8c8cffffff9a87 mov word ptr [edi + edi*8 - 0x78650001], cs 0000869C 96 xchg esi, eax 0000869D 8bff mov edi, edi 0000869F ff .byte 0xff 000086A0 ff .byte 0xff 000086A1 ff .byte 0xff 000086A2 ff .byte 0xff 000086A3 ff .byte 0xff 000086A4 ff .byte 0xff 000086A5 ff .byte 0xff 000086A6 ff .byte 0xff 000086A7 ff .byte 0xff 000086A8 ff .byte 0xff 000086A9 ff .byte 0xff 000086AA ff .byte 0xff 000086AB ff .byte 0xff 000086AC ff .byte 0xff 000086AD ff .byte 0xff 000086AE ff .byte 0xff 000086AF ff .byte 0xff 000086B0 ff .byte 0xff 000086B1 ff .byte 0xff 000086B2 ff .byte 0xff 000086B3 ff .byte 0xff
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 35,376 bytes but its declared streams total only 16,631 bytes — 18,745 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.us.army.mil/ In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 351 bytes |
SHA-256: dc4caae5d956cc1bc15e3490ae1594108d5f0d5ae49efbe71a0d3e53ca4aca05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "ChoiceBox1, 0, 0, DTCINTLib, ChoiceBox" |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.