MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation. A VBA macro was extracted, though it contains no executable statements, suggesting it might be a decoy or part of a multi-stage attack. The document body contains text that appears to be a lure for a control image animator, and an embedded URL was found. The VBA macro is likely intended to be benign or a placeholder, with the primary malicious intent possibly residing in the embedded URL or further obfuscated code not readily apparent.
Heuristics 4
-
XOR-encoded strings (key 0x34) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0x34: 'shell32.dll'
Disassembly
Attempted x86 opcode disassembly0000148B 47 inc edi 0000148C 5c pop esp 0000148D 51 push ecx 0000148E 58 pop eax 0000148F 58 pop eax 00001490 07 pop es 00001491 06 push es 00001492 1a5058 sbb dl, byte ptr [eax + 0x58] 00001495 58 pop eax 00001496 3457 xor al, 0x57 00001498 0e push cs 00001499 684a104051 push 0x5140104a 0000149E 59 pop ecx 0000149F 44 inc esp 000014A0 1a505b sbb dl, byte ptr [eax + 0x5b] 000014A3 57 push edi 000014A4 3464 xor al, 0x64 000014A6 46 inc esi 000014A7 5b pop ebx 000014A8 53 push ebx 000014A9 59 pop ecx 000014AA 55 push ebp 000014AB 5a pop edx 000014AC 3464 xor al, 0x64 000014AE 46 inc esi 000014AF 5b pop ebx 000014B0 53 push ebx 000014B1 46 inc esi 000014B2 55 push ebp 000014B3 59 pop ecx 000014B4 1479 adc al, 0x79 000014B6 55 push ebp 000014B7 5a pop edx 000014B8 55 push ebp 000014B9 53 push ebx 000014BA 51 push ecx 000014BB 46 inc esi 000014BC 34cb xor al, 0xcb 000014BE cb retf 000014BF cb retf 000014C0 cb retf 000014C1 cb retf 000014C2 cb retf 000014C3 cb retf 000014C4 cb retf 000014C5 cb retf 000014C6 cb retf 000014C7 cb retf 000014C8 cb retf 000014C9 cb retf 000014CA cb retf 000014CB cb retf 000014CC cb retf 000014CD cb retf 000014CE cb retf 000014CF cb retf 000014D0 cb retf 000014D1 cb retf 000014D2 cb retf 000014D3 cb retf 000014D4 cb retf 000014D5 cb retf 000014D6 cb retf 000014D7 cb retf 000014D8 cb retf 000014D9 cb retf 000014DA cb retf 000014DB cb retf 000014DC cb retf 000014DD cb retf 000014DE cb retf 000014DF cb retf 000014E0 cb retf 000014E1 cb retf 000014E2 cb retf 000014E3 cb retf 000014E4 cb retf 000014E5 cb retf 000014E6 cb retf 000014E7 cb retf 000014E8 cb retf 000014E9 cb retf 000014EA cb retf
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 78,180 bytes but its declared streams total only 16,217 bytes — 61,963 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.tibetanhealingfund.org In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 357 bytes |
SHA-256: b6f68ae26b154c8b9cdd4f0fe9a495bf9751beb6d137b467ab3e92025836551b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "GifAnimator1, 0, 0, ImageOleLib, GifAnimator" |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.