MALICIOUS
120
Risk Score
Heuristics 4
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.969) — 11/11 branch targets land on an instruction boundary (100% coherence)0001E3A2 648b1530000000 mov edx, dword ptr fs:[0x30] 0001E3A9 8b520c mov edx, dword ptr [edx + 0xc] 0001E3AC 8b521c mov edx, dword ptr [edx + 0x1c] 0001E3AF 8b5a08 mov ebx, dword ptr [edx + 8] 0001E3B2 8b5a08 mov ebx, dword ptr [edx + 8] 0001E3B5 8b4a20 mov ecx, dword ptr [edx + 0x20] 0001E3B8 8b12 mov edx, dword ptr [edx] 0001E3BA 81790c33003200 cmp dword ptr [ecx + 0xc], 0x320033 0001E3C1 75ef jne 0x1e3b2 0001E3C3 0000 add byte ptr [eax], al 0001E3C5 0000 add byte ptr [eax], al 0001E3C7 0075e8 add byte ptr [ebp - 0x18], dh 0001E3CA 8b7d08 mov edi, dword ptr [ebp + 8] 0001E3CD b90e000000 mov ecx, 0xe 0001E3D2 e8a9010000 call 0x1e580 0001E3D7 c9 leave 0001E3D8 c20400 ret 4 0001E3DB 55 push ebp 0001E3DC 8bec mov ebp, esp 0001E3DE 33ff xor edi, edi 0001E3E0 b980000000 mov ecx, 0x80 0001E3E5 57 push edi 0001E3E6 e2fd loop 0x1e3e5 0001E3E8 47 inc edi 0001E3E9 8d5df4 lea ebx, [ebp - 0xc] 0001E3EC 53 push ebx 0001E3ED 57 push edi 0001E3EE ff5630 call dword ptr [esi + 0x30] 0001E3F1 83f8ff cmp eax, -1 0001E3F4 74f2 je 0x1e3e8 0001E3F6 3d00200000 cmp eax, 0x2000 0001E3FB 76eb jbe 0x1e3e8 0001E3FD 8945fc mov dword ptr [ebp - 4], eax 0001E400 89 .byte 0x89 0001E401 7d .byte 0x7d
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
OLE object data medium RTF_OBJDATARTF contains 4 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off0001b785.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1B785 | 440 bytes |
SHA-256: ea5d234f81e7c6f4d2681a1e14ba35656c4caea1ff0358220f369a5f5b5ba6da |
|||
objdata_01_off0001bb1b.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1BB1B | 4923 bytes |
SHA-256: 168744b2978450b724dbee7cdb05a7b34b02d368a10660abd293a1359a3bda59 |
|||
objdata_02_off0001beaf.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1BEAF | 2354 bytes |
SHA-256: 02355885ba665571ced1fcf8c35e9258bde5d85f0c5ddba2b88a22c44163e225 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.