MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or packed content. A critical heuristic identified XOR-encoded strings with a key of 0x12, commonly used to hide malicious payloads within VBA macros. Although the VBA project itself contains no executable statements, the presence of encoded strings points towards a downloader or dropper functionality, likely delivered via spearphishing.
Heuristics 3
-
XOR-encoded strings (key 0x12) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x12: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll'
Disassembly
Attempted x86 opcode disassembly00008FB0 7977 jns 0x9029 00008FB2 60 pushal 00008FB3 7c77 jl 0x902c 00008FB5 7e21 jle 0x8fd8 00008FB7 203c76 and byte ptr [esi + esi*2], bh 00008FBA 7e7e jle 0x903a 00008FBC 1212 adc dl, byte ptr [edx] 00008FBE 1212 adc dl, byte ptr [edx] 00008FC0 55 push ebp 00008FC1 7766 ja 0x9029 00008FC3 5e pop esi 00008FC4 7d7c jge 0x9042 00008FC6 7542 jne 0x900a 00008FC8 7366 jae 0x9030 00008FCA 7a5c jp 0x9028 00008FCC 737f jae 0x904d 00008FCE 7753 ja 0x9023 00008FD0 1212 adc dl, byte ptr [edx] 00008FD2 1212 adc dl, byte ptr [edx] 00008FD4 47 inc edi 00008FD5 99 cdq 00008FD6 fe .byte 0xfe 00008FD7 93 xchg ebx, eax 00008FD8 d6 salc 00008FD9 f2ec in al, dx 00008FDB ed in eax, dx 00008FDC ed in eax, dx 00008FDD 41 inc ecx 00008FDE 44 inc esp 00008FDF 9b wait 00008FE0 57 push edi 00008FE1 ee out dx, al 00008FE2 7a17 jp 0x8ffb 00008FE4 1312 adc edx, dword ptr [edx] 00008FE6 129f97f1eced adc bl, byte ptr [edi - 0x12130e69] 00008FEC ed in eax, dx 00008FED 42 inc edx 00008FEE 7812 js 0x9002 00008FF0 fa cli 00008FF1 6d insd dword ptr es:[edi], dx 00008FF2 d2ed shr ch, cl 00008FF4 ed in eax, dx 00008FF5 d457 aam 0x57 00008FF7 fc cld 00008FF8 129f57ea427a adc bl, byte ptr [edi + 0x7a42ea57] 00008FFE 0b12 or edx, dword ptr [edx] 00009000 1d1278127a sbb eax, 0x7a127812 00009005 fe4152 inc byte ptr [ecx + 0x52] 00009008 127a13 adc bh, byte ptr [edx + 0x13] 0000900B 1212 adc dl, byte ptr [edx] 0000900D 92 xchg edx, eax 0000900E fa cli 0000900F ab stosd dword ptr es:[edi], eax
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 435,224 bytes but its declared streams total only 12,713 bytes — 422,511 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 671 bytes |
SHA-256: 951208b608f8616684e7f652db35c4e21fc13440c541a1e128fc5562ec7888f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TreeView1, 1, 0, MSComctlLib, TreeView"
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.