MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The file is an Excel document with a high slack space anomaly and contains VBA macros. Heuristics indicate XOR-encoded strings and the use of VirtualAlloc, suggesting obfuscated code intended to download and execute a payload. The VBA macros themselves contain no executable statements, but the presence of encoded strings and API calls points to a malicious intent, likely to download and execute a second-stage payload.
Heuristics 5
-
XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess ', 'CreateFileA ', 'CreateFileW '
Disassembly
Attempted x86 opcode disassembly00010BFD 99 cdq 00010BFE bbaa8eacb1 mov ebx, 0xb1ac8eaa 00010C03 bd9fbabaac mov ebp, 0xacbaba9f 00010C08 bbadadde99 mov ebx, 0x99deadad 00010C0D bbaa8abbb3 mov ebx, 0xb3bb8aaa 00010C12 ae scasb al, byte ptr es:[edi] 00010C13 8e .byte 0x8e 00010C14 bfaab69fde mov edi, 0xde9fb6aa 00010C19 9d popfd 00010C1A ac lodsb al, byte ptr [esi] 00010C1B bbbfaabb98 mov ebx, 0x98bbaabf 00010C20 b7b2 mov bh, 0xb2 00010C22 bb9fde99bb mov ebx, 0xbb99de9f 00010C27 aa stosb byte ptr es:[edi], al 00010C28 98 cwde 00010C29 b7b2 mov bh, 0xb2 00010C2B bb8db7a4bb mov ebx, 0xbba4b78d 00010C30 de8dbbaa98b7 fimul word ptr [ebp - 0x48675545] 00010C36 b2bb mov dl, 0xbb 00010C38 8e .byte 0x8e 00010C39 b1b7 mov cl, 0xb7 00010C3B b0aa mov al, 0xaa 00010C3D bbacde8cbb mov ebx, 0xbb8cdeac 00010C42 bfba98b7b2 mov edi, 0xb2b798ba 00010C47 bbde89acb7 mov ebx, 0xb7ac89de 00010C4C aa stosb byte ptr es:[edi], al 00010C4D bb98b7b2bb mov ebx, 0xbbb2b798 00010C52 de9db2b1adbb ficomp word ptr [ebp - 0x44524e4e] 00010C58 96 xchg esi, eax 00010C59 bf .byte 0xbf 00010C5A b0ba mov al, 0xba 00010C5C b2 .byte 0xb2
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,050,741 bytes but its declared streams total only 240,528 bytes — 810,213 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly00016D23 41 inc ecx 00016D24 41 inc ecx 00016D25 41 inc ecx 00016D26 41 inc ecx 00016D27 41 inc ecx 00016D28 41 inc ecx 00016D29 41 inc ecx 00016D2A 41 inc ecx 00016D2B 41 inc ecx 00016D2C 41 inc ecx 00016D2D 41 inc ecx 00016D2E 41 inc ecx 00016D2F 41 inc ecx 00016D30 41 inc ecx 00016D31 41 inc ecx 00016D32 41 inc ecx 00016D33 41 inc ecx 00016D34 41 inc ecx 00016D35 41 inc ecx 00016D36 41 inc ecx 00016D37 41 inc ecx 00016D38 41 inc ecx 00016D39 41 inc ecx 00016D3A 41 inc ecx 00016D3B 41 inc ecx 00016D3C 41 inc ecx 00016D3D 41 inc ecx 00016D3E 41 inc ecx 00016D3F 41 inc ecx 00016D40 41 inc ecx 00016D41 41 inc ecx 00016D42 41 inc ecx 00016D43 41 inc ecx 00016D44 41 inc ecx 00016D45 41 inc ecx 00016D46 41 inc ecx 00016D47 41 inc ecx 00016D48 41 inc ecx 00016D49 41 inc ecx 00016D4A 41 inc ecx 00016D4B 41 inc ecx 00016D4C 41 inc ecx 00016D4D 41 inc ecx 00016D4E 41 inc ecx 00016D4F 41 inc ecx 00016D50 41 inc ecx 00016D51 41 inc ecx 00016D52 41 inc ecx 00016D53 41 inc ecx 00016D54 41 inc ecx 00016D55 41 inc ecx 00016D56 41 inc ecx 00016D57 41 inc ecx 00016D58 41 inc ecx 00016D59 41 inc ecx 00016D5A 41 inc ecx 00016D5B 41 inc ecx 00016D5C 41 inc ecx 00016D5D 41 inc ecx 00016D5E 41 inc ecx 00016D5F 41 inc ecx 00016D60 41 inc ecx 00016D61 41 inc ecx 00016D62 41 inc ecx 00016D63 41 inc ecx 00016D64 41 inc ecx 00016D65 41 inc ecx 00016D66 41 inc ecx 00016D67 41 inc ecx 00016D68 41 inc ecx 00016D69 41 inc ecx 00016D6A 41 inc ecx 00016D6B 41 inc ecx 00016D6C 41 inc ecx 00016D6D 41 inc ecx 00016D6E 41 inc ecx 00016D6F 41 inc ecx 00016D70 41 inc ecx 00016D71 41 inc ecx 00016D72 41 inc ecx 00016D73 41 inc ecx 00016D74 41 inc ecx 00016D75 41 inc ecx 00016D76 41 inc ecx 00016D77 41 inc ecx 00016D78 41 inc ecx 00016D79 0101 add dword ptr [ecx], eax 00016D7B 80800000000000 add byte ptr [eax], 0 00016D82 00 .byte 0x00
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 606 bytes |
SHA-256: 481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.