MALICIOUS
332
Risk Score
Heuristics 11
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next 'Standard Error Checker to avoid System errors on Ribbon Shell "explorer.exe" & " " & Path_TemplateFolder, vbNormalFocus End Sub -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
oStream.Type = 1 oStream.Write WinHttpReq.responseBody oStream.SaveToFile Path_TemplateFile99, 2 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
'Rename TemplateGallery w/o version to version 001 (for add-in until version 1.10.02) Set oFSO = CreateObject("Scripting.FileSystemObject") Set oFolder = oFSO.GetFolder(Path_TemplateFolder) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Case 1, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18, 24, 13, 14, 19, 20, 21, 25, 15, 22, 23, 28, 30, 33 If CallByName(shpMasterMatch, strIndicator1, VbGet) = CallByName(shpFormatMatch, strIndicator1, VbGet) Then Check_IndicatorMatch_Detail = 3 -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
RegCloseKey HK GetAddInsFolder = Environ("AppData") + "\Microsoft\" + Path End Function -
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly007D2443 90 nop 007D2444 90 nop 007D2445 90 nop 007D2446 90 nop 007D2447 90 nop 007D2448 90 nop 007D2449 90 nop 007D244A 90 nop 007D244B 90 nop 007D244C 90 nop 007D244D 90 nop 007D244E 90 nop 007D244F 90 nop 007D2450 90 nop 007D2451 90 nop 007D2452 90 nop 007D2453 90 nop 007D2454 90 nop 007D2455 90 nop 007D2456 90 nop 007D2457 90 nop 007D2458 90 nop 007D2459 90 nop 007D245A 90 nop 007D245B 90 nop 007D245C 90 nop 007D245D 90 nop 007D245E 90 nop 007D245F 90 nop 007D2460 90 nop 007D2461 90 nop 007D2462 90 nop 007D2463 90 nop 007D2464 90 nop 007D2465 90 nop 007D2466 90 nop 007D2467 90 nop 007D2468 90 nop 007D2469 90 nop 007D246A 90 nop 007D246B 90 nop 007D246C 90 nop 007D246D 90 nop 007D246E 90 nop 007D246F 90 nop 007D2470 90 nop 007D2471 90 nop 007D2472 90 nop 007D2473 90 nop 007D2474 90 nop 007D2475 90 nop 007D2476 90 nop 007D2477 90 nop 007D2478 90 nop 007D2479 90 nop 007D247A 90 nop 007D247B 90 nop 007D247C 90 nop 007D247D 90 nop 007D247E 90 nop 007D247F 90 nop 007D2480 90 nop 007D2481 90 nop 007D2482 90 nop 007D2483 90 nop 007D2484 90 nop 007D2485 90 nop 007D2486 90 nop 007D2487 90 nop 007D2488 90 nop 007D2489 90 nop 007D248A 90 nop 007D248B 90 nop 007D248C 90 nop 007D248D 90 nop 007D248E 90 nop 007D248F 90 nop 007D2490 90 nop 007D2491 90 nop 007D2492 90 nop 007D2493 90 nop 007D2494 90 nop 007D2495 90 nop 007D2496 f8 clc 007D2497 97 xchg edi, eax 007D2498 0437 add al, 0x37 007D249A b4fd mov ah, 0xfd 007D249C 50 push eax 007D249D fb sti 007D249E 53 push ebx 007D249F 91 xchg ecx, eax 007D24A0 38dc cmp ah, bl 007D24A2 e2 .byte 0xe2
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly012BC71E 41 inc ecx 012BC71F 41 inc ecx 012BC720 41 inc ecx 012BC721 41 inc ecx 012BC722 41 inc ecx 012BC723 41 inc ecx 012BC724 41 inc ecx 012BC725 41 inc ecx 012BC726 41 inc ecx 012BC727 41 inc ecx 012BC728 41 inc ecx 012BC729 41 inc ecx 012BC72A 41 inc ecx 012BC72B 41 inc ecx 012BC72C 41 inc ecx 012BC72D 41 inc ecx 012BC72E 41 inc ecx 012BC72F 41 inc ecx 012BC730 41 inc ecx 012BC731 41 inc ecx 012BC732 41 inc ecx 012BC733 41 inc ecx 012BC734 41 inc ecx 012BC735 41 inc ecx 012BC736 41 inc ecx 012BC737 41 inc ecx 012BC738 41 inc ecx 012BC739 41 inc ecx 012BC73A 41 inc ecx 012BC73B 41 inc ecx 012BC73C 41 inc ecx 012BC73D 41 inc ecx 012BC73E 41 inc ecx 012BC73F 41 inc ecx 012BC740 41 inc ecx 012BC741 41 inc ecx 012BC742 41 inc ecx 012BC743 41 inc ecx 012BC744 41 inc ecx 012BC745 41 inc ecx 012BC746 41 inc ecx 012BC747 41 inc ecx 012BC748 41 inc ecx 012BC749 41 inc ecx 012BC74A 41 inc ecx 012BC74B 41 inc ecx 012BC74C 41 inc ecx 012BC74D 41 inc ecx 012BC74E 41 inc ecx 012BC74F 41 inc ecx 012BC750 41 inc ecx 012BC751 41 inc ecx 012BC752 41 inc ecx 012BC753 41 inc ecx 012BC754 41 inc ecx 012BC755 41 inc ecx 012BC756 41 inc ecx 012BC757 41 inc ecx 012BC758 41 inc ecx 012BC759 41 inc ecx 012BC75A 41 inc ecx 012BC75B 41 inc ecx 012BC75C 41 inc ecx 012BC75D 41 inc ecx 012BC75E 41 inc ecx 012BC75F 41 inc ecx 012BC760 41 inc ecx 012BC761 41 inc ecx 012BC762 41 inc ecx 012BC763 41 inc ecx 012BC764 41 inc ecx 012BC765 41 inc ecx 012BC766 41 inc ecx 012BC767 41 inc ecx 012BC768 41 inc ecx 012BC769 41 inc ecx 012BC76A 41 inc ecx 012BC76B 41 inc ecx 012BC76C 41 inc ecx 012BC76D 41 inc ecx 012BC76E 41 inc ecx 012BC76F 41 inc ecx 012BC770 41 inc ecx 012BC771 41 inc ecx 012BC772 41 inc ecx 012BC773 41 inc ecx 012BC774 41 inc ecx 012BC775 41 inc ecx 012BC776 41 inc ecx 012BC777 41 inc ecx 012BC778 41 inc ecx 012BC779 41 inc ecx 012BC77A 41 inc ecx 012BC77B 41 inc ecx 012BC77C 41 inc ecx 012BC77D 41 inc ecx
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly012BC71E 41 inc ecx 012BC71F 41 inc ecx 012BC720 41 inc ecx 012BC721 41 inc ecx 012BC722 41 inc ecx 012BC723 41 inc ecx 012BC724 41 inc ecx 012BC725 41 inc ecx 012BC726 41 inc ecx 012BC727 41 inc ecx 012BC728 41 inc ecx 012BC729 41 inc ecx 012BC72A 41 inc ecx 012BC72B 41 inc ecx 012BC72C 41 inc ecx 012BC72D 41 inc ecx 012BC72E 41 inc ecx 012BC72F 41 inc ecx 012BC730 41 inc ecx 012BC731 41 inc ecx 012BC732 41 inc ecx 012BC733 41 inc ecx 012BC734 41 inc ecx 012BC735 41 inc ecx 012BC736 41 inc ecx 012BC737 41 inc ecx 012BC738 41 inc ecx 012BC739 41 inc ecx 012BC73A 41 inc ecx 012BC73B 41 inc ecx 012BC73C 41 inc ecx 012BC73D 41 inc ecx 012BC73E 41 inc ecx 012BC73F 41 inc ecx 012BC740 41 inc ecx 012BC741 41 inc ecx 012BC742 41 inc ecx 012BC743 41 inc ecx 012BC744 41 inc ecx 012BC745 41 inc ecx 012BC746 41 inc ecx 012BC747 41 inc ecx 012BC748 41 inc ecx 012BC749 41 inc ecx 012BC74A 41 inc ecx 012BC74B 41 inc ecx 012BC74C 41 inc ecx 012BC74D 41 inc ecx 012BC74E 41 inc ecx 012BC74F 41 inc ecx 012BC750 41 inc ecx 012BC751 41 inc ecx 012BC752 41 inc ecx 012BC753 41 inc ecx 012BC754 41 inc ecx 012BC755 41 inc ecx 012BC756 41 inc ecx 012BC757 41 inc ecx 012BC758 41 inc ecx 012BC759 41 inc ecx 012BC75A 41 inc ecx 012BC75B 41 inc ecx 012BC75C 41 inc ecx 012BC75D 41 inc ecx 012BC75E 41 inc ecx 012BC75F 41 inc ecx 012BC760 41 inc ecx 012BC761 41 inc ecx 012BC762 41 inc ecx 012BC763 41 inc ecx 012BC764 41 inc ecx 012BC765 41 inc ecx 012BC766 41 inc ecx 012BC767 41 inc ecx 012BC768 41 inc ecx 012BC769 41 inc ecx 012BC76A 41 inc ecx 012BC76B 41 inc ecx 012BC76C 41 inc ecx 012BC76D 41 inc ecx 012BC76E 41 inc ecx 012BC76F 41 inc ecx 012BC770 41 inc ecx 012BC771 41 inc ecx 012BC772 41 inc ecx 012BC773 41 inc ecx 012BC774 41 inc ecx 012BC775 41 inc ecx 012BC776 41 inc ecx 012BC777 41 inc ecx 012BC778 41 inc ecx 012BC779 41 inc ecx 012BC77A 41 inc ecx 012BC77B 41 inc ecx 012BC77C 41 inc ecx 012BC77D 41 inc ecx
-
Large OOXML part skipped info SCAN_INCOMPLETEOne or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/2009/07/customui Referenced by macro
Open this report in the interactive analyzer, or submit your own file for analysis.