PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 460,12 KB SHA-256 Hash: A4E5DA9B6EB9A8A2A4BD5E3255898340BAAD1FFE13AED40DAC18D69E3BA3814E SHA-1 Hash: CE644EA6CE6E7AE7BBF104B213D0B2CC4B6DD6F8 MD5 Hash: 4BC860D91E48EEE1F0A8E9A83923B57D Imphash: 533E9FDF9EE97166025945B182BBD8B4 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00011B4D EntryPoint (rva): 1454 SizeOfHeaders: 1000 SizeOfImage: 9000 ImageBase: 400000 Architecture: x86 ImportTable: 5D14 IAT: 1000 Characteristics: 10F TimeDateStamp: 69B7C7FD Date: 16/03/2026 9:06:05 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 1000 | 6000 | 1000 | 52E4 | 5,4630 | 556213,40 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 7000 | 1000 | 7000 | 340 | 0,0000 | 1044480,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 8000 | 1000 | 8000 | 2C0 | 0,8817 | 866869,88 |
| Description |
| FileVersion: 1.00 ProductVersion: 1.00 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) Unusual Chars Found In Description File - (Polymorphic Patterns) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 424,12 KB |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1454 Code -> 6828154000E8F0FFFFFF0000000000003000000040000000000000009CBE20D737545140946985935A537CF9000000000000 • PUSH 0X401528 • CALL 0XFFA • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • XOR BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • INC EAX • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [ESI + EDI*4 + 0X5437D720], BL • PUSH ECX • INC EAX • XCHG EAX, ESP • IMUL EAX, DWORD PTR [EBP + 0X7C535A93], 0XF9 • ADD BYTE PTR [EAX], AL |
| Signatures |
| CheckSum Integrity Problem: • Header: 72525 • Calculated: 508957 Rich Signature Analyzer: Code -> D94BC4DB9D2AAA889D2AAA889D2AAA881E36A4889C2AAA88F435A3889F2AAA887435A7889C2AAA88526963689D2AAA88 Footprint md5 Hash -> 908D4A44A9B0F2660C10D9048322A9E4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Visual Basic 6 - (Native Code) Detect It Easy (die) • PE: compiler: Microsoft Visual Basic(6.0)[Native] • PE: linker: Microsoft Linker(6.0*)[-] • PE: overlay: PDB 2.0 file link(-)[-] • Entropy: 7.89806 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| MSVBVM60.DLL | DllFunctionCall | It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| File Access |
| MSVBVM60.DLL VBA6.DLL .dat |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Unicode | Technique used to make malicious code harder to analyze (Obfuscation) |
| Entry Point | Hex Pattern | Microsoft Visual Basic 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 - v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual Basic v5.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 8058 | 268 | 8058 | 680234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | h.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • MSVBVM60.DLL • & .vbp • .exe • VBA6.DLL • & .exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1280 | 401060 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1286 | 401094 | .text | JMP [static] | Indirect jump to absolute memory address |
| 128C | 4010A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1292 | 401050 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1298 | 40103C | .text | JMP [static] | Indirect jump to absolute memory address |
| 129E | 4010D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12A4 | 401028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12AA | 4010F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12B0 | 401054 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12B6 | 4010EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 12BC | 4010DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 12C2 | 4010A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12C8 | 401084 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12CE | 40109C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12D4 | 40102C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12DA | 40100C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12E0 | 401110 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12E6 | 401008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12EC | 40112C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12F2 | 4010BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 12F8 | 401058 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12FE | 401090 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1304 | 401120 | .text | JMP [static] | Indirect jump to absolute memory address |
| 130A | 40111C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1310 | 401080 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1316 | 401018 | .text | JMP [static] | Indirect jump to absolute memory address |
| 131C | 40110C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1322 | 401020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1328 | 401108 | .text | JMP [static] | Indirect jump to absolute memory address |
| 132E | 40108C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1334 | 401004 | .text | JMP [static] | Indirect jump to absolute memory address |
| 133A | 401000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1340 | 401100 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1346 | 401128 | .text | JMP [static] | Indirect jump to absolute memory address |
| 134C | 4010B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1352 | 40106C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1358 | 4010F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 135E | 401048 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1364 | 4010B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 136A | 401010 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1370 | 40104C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1376 | 401078 | .text | JMP [static] | Indirect jump to absolute memory address |
| 137C | 4010C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1382 | 401074 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1388 | 4010AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 138E | 401088 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1394 | 4010D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 139A | 401134 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13A0 | 401044 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13A6 | 40105C | .text | JMP [static] | Indirect jump to absolute memory address |
| 13AC | 4010D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13B2 | 4010B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13B8 | 401124 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13BE | 4010FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 13C4 | 4010A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13CA | 4010E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13D0 | 4010E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13D6 | 401024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13DC | 401104 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13E2 | 401098 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13E8 | 401040 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13EE | 401118 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13F4 | 401068 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13FA | 401070 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1400 | 401014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1406 | 4010CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 140C | 401064 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1412 | 40101C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1418 | 4010C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 141E | 4010E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1424 | 401030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 142A | 401130 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1430 | 401038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1436 | 4010C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 143C | 401114 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1442 | 401034 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1448 | 40107C | .text | JMP [static] | Indirect jump to absolute memory address |
| 144E | 4010F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 23336 | 30457C24 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 240A0 | 3A0D8E24 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 25CEF | 3A0D8E24 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 2C718 | 70F7D2B | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 30229 | 73FF661 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 4EB6A | 73FF661 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 514A4 | 73FF661 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 6C8F6 | 73FF661 | *padding* | CALL [static] | Indirect call to absolute memory address |
| 9000 | N/A | *Overlay* | 4E42313000000000ECC4B76903000000433A5C44 | NB10.......i....C:\D |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 309218 | 65,6292% |
| Null Byte Code | 19825 | 4,2077% |
© 2026 All rights reserved.