MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature Win.Exploit.13525-1, indicating it exploits a known vulnerability. Static analysis detected XOR-encoded strings, a common obfuscation technique used by malware. While VBA macros were present, they contained no executable statements, suggesting the exploit is likely embedded directly within the OLE structure rather than being triggered by macro code.
Heuristics 3
-
ClamAV: Win.Exploit.13525-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.13525-1
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
Disassembly
Attempted x86 opcode disassembly00013C75 b390 mov bl, 0x90 00013C77 9e sahf 00013C78 9b wait 00013C79 b396 mov bl, 0x96 00013C7B 9d popfd 00013C7C 8d9e8d86beff lea ebx, [esi - 0x417973] 00013C82 ff .byte 0xff 00013C83 ffa9968d8b8a jmp ptr [ecx - 0x7574726a] 00013C89 9e sahf 00013C8A 93 xchg ebx, eax 00013C8B af scasd eax, dword ptr es:[edi] 00013C8C 8d908b9a9c8b lea edx, [eax - 0x74636575] 00013C92 ff06 inc dword ptr [esi] 00013C94 fe .byte 0xfe 00013C95 ff .byte 0xff 00013C96 ffd0 call eax 00013C98 fc cld 00013C99 ff .byte 0xff 00013C9A ffa9968d8b8a jmp ptr [ecx - 0x7574726a] 00013CA0 9e sahf 00013CA1 93 xchg ebx, eax 00013CA2 be9393909c mov esi, 0x9c909393 00013CA7 ff .byte 0xff 00013CA8 ff .byte 0xff 00013CA9 ff .byte 0xff 00013CAA ff .byte 0xff 00013CAB ff .byte 0xff 00013CAC ff .byte 0xff 00013CAD ff .byte 0xff 00013CAE ff .byte 0xff 00013CAF ff .byte 0xff 00013CB0 ff .byte 0xff 00013CB1 ff .byte 0xff 00013CB2 ff .byte 0xff 00013CB3 ff .byte 0xff 00013CB4 ff .byte 0xff 00013CB5 ff .byte 0xff 00013CB6 ff .byte 0xff 00013CB7 ff .byte 0xff 00013CB8 ff .byte 0xff 00013CB9 ff .byte 0xff 00013CBA ff .byte 0xff 00013CBB ff .byte 0xff 00013CBC ff .byte 0xff 00013CBD ff .byte 0xff 00013CBE ff .byte 0xff 00013CBF ff .byte 0xff 00013CC0 ff .byte 0xff 00013CC1 ff .byte 0xff 00013CC2 ff .byte 0xff 00013CC3 ff .byte 0xff 00013CC4 fe .byte 0xfe 00013CC5 ff .byte 0xff 00013CC6 ff .byte 0xff 00013CC7 ff .byte 0xff 00013CC8 3dfeffffa2 cmp eax, 0xa2fffffe 00013CCD 7e12 jle 0x13ce1 00013CCF fa cli 00013CD0 ff .byte 0xff 00013CD1 ff .byte 0xff 00013CD2 ff728a push dword ptr [edx - 0x76]
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 286 bytes |
SHA-256: 7771bf99b1125ee0f87040a7dc7c1fa89eec2186bbf4ab3e822c8d665693af47 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.