Malicious RTF — malware analysis report

Static analysis result for SHA-256 b0872cbee6dde40e…

MALICIOUS

RTF

94.8 KB Created: 2011-04-27 10:11:00 Authoring application: Microsoft Word 11.0.5604 First seen: 2012-07-12
MD5: 79748bf70c5b69c8b9244e0b83866dbd SHA-1: 6dc5109e3dace16de3d38014f06c152fd7fbe3bb SHA-256: b0872cbee6dde40e1d7cf09bc370a9c49ba07c9790ebf651d99104b0e5733f04
60 Risk Score

Heuristics 1

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'CreateProcessA', 'RegOpenKeyExA'
    Disassembly
    x86 disassembly · validity: code (0.884) — no internal branches to corroborate control flow
    0000D2A9  97                xchg edi, eax
0000D2AA  99                cdq
0000D2AB  8e929990cfce      mov ss, word ptr [edx - 0x31306f67]
0000D2B1  d29890900000      rcr byte ptr [eax + 0x9090], cl
0000D2B7  0000              add byte ptr [eax], al
0000D2B9  9d                popfd
0000D2BA  d7                xlatb
0000D2BB  9e                sahf
0000D2BC  008e9e0000ab      add byte ptr [esi - 0x54ffff62], cl
0000D2C2  95                xchg ebp, eax
0000D2C3  92                xchg edx, eax
0000D2C4  af                scasd eax, dword ptr es:[edi]
0000D2C5  889dcca0b899      mov byte ptr [ebp - 0x66475f34], bl
0000D2CB  9a9d89908800af    lcall 0xaf00, 0x8890899d
0000D2D2  a5                movsd dword ptr es:[edi], dword ptr [esi]
0000D2D3  af                scasd eax, dword ptr es:[edi]
0000D2D4  a8b9              test al, 0xb9
0000D2D6  b100              mov cl, 0
0000D2D8  00a9afb9aeb2      add byte ptr [ecx - 0x4d514651], ch
0000D2DE  bdb1b90000        mov ebp, 0xb9b1
0000D2E3  0000              add byte ptr [eax], al
0000D2E5  99                cdq
0000D2E6  849588f1f600      test byte ptr [ebp + 0xf6f188], dl
0000D2EC  00bf8e999d88      add byte ptr [edi - 0x77626672], bh
0000D2F2  99                cdq
0000D2F3  ac                lodsb al, byte ptr [esi]
0000D2F4  95                xchg ebp, eax
0000D2F5  8c990000a09d      mov word ptr [ecx - 0x62600000], ds
0000D2FB  90                nop
0000D2FC  9b                wait
0000D2FD  d29984990000      rcr byte ptr [ecx + 0x9984], cl
0000D303  0000              add byte ptr [eax], al
0000D305  bf                .byte 0xbf
0000D306  93                xchg ebx, eax
0000D307  91                xchg ecx, eax
0000D308  af                scasd eax, dword ptr es:[edi]

Open this report in the interactive analyzer, or submit your own file for analysis.