Malicious Office (OLE) — malware analysis report

Heuristics 4

• NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
  Long run of 0x41 bytes
  Disassembly

  Attempted x86 opcode disassembly

  00267681  41                inc ecx
  00267682  41                inc ecx
  00267683  41                inc ecx
  00267684  41                inc ecx
  00267685  41                inc ecx
  00267686  41                inc ecx
  00267687  41                inc ecx
  00267688  41                inc ecx
  00267689  41                inc ecx
  0026768A  41                inc ecx
  0026768B  41                inc ecx
  0026768C  41                inc ecx
  0026768D  41                inc ecx
  0026768E  41                inc ecx
  0026768F  41                inc ecx
  00267690  41                inc ecx
  00267691  41                inc ecx
  00267692  41                inc ecx
  00267693  41                inc ecx
  00267694  41                inc ecx
  00267695  41                inc ecx
  00267696  41                inc ecx
  00267697  41                inc ecx
  00267698  41                inc ecx
  00267699  41                inc ecx
  0026769A  41                inc ecx
  0026769B  41                inc ecx
  0026769C  41                inc ecx
  0026769D  41                inc ecx
  0026769E  41                inc ecx
  0026769F  41                inc ecx
  002676A0  41                inc ecx
  002676A1  41                inc ecx
  002676A2  41                inc ecx
  002676A3  41                inc ecx
  002676A4  41                inc ecx
  002676A5  41                inc ecx
  002676A6  41                inc ecx
  002676A7  79a3              jns 0x26764c
  002676A9  c41a              les ebx, ptr [edx]
  002676AB  127dc7            adc bh, byte ptr [ebp - 0x39]
  002676AE  f1                int1
  002676AF  c6                .byte 0xc6
  002676B0  d6                salc
  002676B1  dbc2              fcmovnb st(0), st(2)
  002676B3  b3ad              mov bl, 0xad
  002676B5  d48c              aam 0x8c
  002676B7  ba5e306f69        mov edx, 0x696f305e
  002676BC  ed                in eax, dx
  002676BD  b95a3667af        mov ecx, 0xaf67365a
  002676C2  fb                sti
  002676C3  22abd803db5b      and ch, byte ptr [ebx + 0x5bdb03d8]
  002676C9  10c8              adc al, cl
  002676CB  f1                int1
  002676CC  f5                cmc
  002676CD  4c                dec esp
  002676CE  ce                into
  002676CF  1e                push ds
  002676D0  2197c51a93e3      and dword ptr [edi - 0x1c6ce53b], edx
  002676D6  ea999ca7809989    ljmp 0x8999:0x80a79c99
  002676DD  54                push esp
  002676DE  88                .byte 0x88
  002676DF  35                .byte 0x35
  002676E0  6d                insd dword ptr es:[edi], dx

• Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
  Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
• CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
  The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
• Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
  The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.

Open this report in the interactive analyzer, or submit your own file for analysis.