PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 40,00 KB SHA-256 Hash: 78562A25C3F5C365BEE093F83096FD3B40CA0504E006A521C33C0CF88E3ACA41 SHA-1 Hash: 6FCBEC15779E8330ABDE7C89A9DBC6B00FCDC032 MD5 Hash: D3B6F542D6559083E9936685F9EFA214 Imphash: F445A45319A90C0ED127FB3D0242E4FE MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0000D025 EntryPoint (rva): 14DC SizeOfHeaders: 1000 SizeOfImage: A000 ImageBase: 11000000 Architecture: x86 ExportTable: 65C0 ImportTable: 5EC4 IAT: 1000 Characteristics: 210E TimeDateStamp: 4820CB32 Date: 06/05/2008 21:18:42 File Type: DLL Number Of Sections: 4 ASLR: Disabled Section Names: .text, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 6000 | 1000 | 5666 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
7000 | 1000 | 7000 | B7C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
8000 | 1000 | 8000 | A58 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
9000 | 1000 | 9000 | 760 |
|
|
| Description |
| OriginalFilename: XMLDI2FS2.dll CompanyName: Softwriters, Inc. ProductName: Project1 FileVersion: 1.00.0002 ProductVersion: 1.00.0002 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 14DC Code -> 5A68747B001168787B001152E9E9FFFFFF0000005800000030000000500000004000000012D92BFE39043E4BACCD51A49415 Assembler |POP EDX |PUSH 0X11007B74 |PUSH 0X11007B78 |PUSH EDX |JMP 0XFFA |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], BL |ADD BYTE PTR [EAX], AL |XOR BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |PUSH EAX |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADC BL, CL |SUB EDI, ESI |CMP DWORD PTR [ESI + EDI], EAX |DEC EBX |LODSB AL, BYTE PTR [ESI] |INT 0X51 |MOVSB BYTE PTR ES:[EDI], BYTE PTR [ESI] |XCHG EAX, ESP |
| Signatures |
| Rich Signature Analyzer: Code -> 4D6FB9DB090ED788090ED788090ED7888A12D988080ED788462CDE880A0ED7883F28DA88080ED788F62ED388080ED78852696368090ED788 Footprint md5 Hash -> EC089569D746D1459E92C3763942171E • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Visual Basic 6 - (Native Code) Detect It Easy (die) • PE: compiler: Microsoft Visual Basic(6.0)[Native] • PE: linker: Microsoft Linker(6.0)[-] • Entropy: 4.28214 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| MSVBVM60.DLL | DllFunctionCall | It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects. |
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| ET Functions (carving) |
| Original Name -> XMLDI2FS2.dll DllCanUnloadNow DllGetClassObject DllRegisterServer DllUnregisterServer |
| File Access |
| XMLDI2FS2.dll MSVBVM60.DLL \WINDOWS\system32\msvbvm60.dll shell32.dll VBA6.DLL ole32.dll .dat |
| File Access (UNICODE) |
| XMLDI2FS2.dll |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual Basic v6.0 DLL |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \TYPELIB\1\0 | 83A8 | 6B0 | 83A8 | 4D53465402000100180000000904000000000000410000000100000000000000020000000000000000000000000000000600 | MSFT................A............................. |
| \_IID_CXMLDI2FILESYSTEM\1\0 | 8394 | 14 | 8394 | 10000000A2165B8B7FCBE349B7C3B367C79A04DB | ......[....I...g.... |
| \VERSION\1\1033 | 8130 | 264 | 8130 | 640234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | d.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • MSVBVM60.DLL • ole32.dll • VBA6.DLL • C:\WINDOWS\system32\MSCOMCTL.oca • C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB • Form Definition Export Files (*.fde)|*.fde • c:\windows\system32\msvbvm60.dll • C:\swictls\objsafe.tlb • XMLDI2FS2.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1290 | 11001084 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1296 | 110010C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 129C | 110010E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12A2 | 11001068 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12A8 | 11001048 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12AE | 11001110 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12B4 | 11001024 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12BA | 1100112C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12C0 | 11001070 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12C6 | 11001128 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12CC | 11001114 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12D2 | 110010E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12D8 | 110010A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12DE | 110010DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 12E4 | 1100102C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12EA | 11001004 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12F0 | 1100115C | .text | JMP [static] | Indirect jump to absolute memory address |
| 12F6 | 11001000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12FC | 1100117C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1302 | 110010F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1308 | 1100107C | .text | JMP [static] | Indirect jump to absolute memory address |
| 130E | 110010BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1314 | 11001170 | .text | JMP [static] | Indirect jump to absolute memory address |
| 131A | 11001168 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1320 | 110010A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1326 | 1100101C | .text | JMP [static] | Indirect jump to absolute memory address |
| 132C | 110010D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1332 | 11001044 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1338 | 11001078 | .text | JMP [static] | Indirect jump to absolute memory address |
| 133E | 11001034 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1344 | 110010D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 134A | 11001154 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1350 | 1100108C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1356 | 110010F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 135C | 110010AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1362 | 110010FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1368 | 11001028 | .text | JMP [static] | Indirect jump to absolute memory address |
| 136E | 11001040 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1374 | 1100113C | .text | JMP [static] | Indirect jump to absolute memory address |
| 137A | 11001088 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1380 | 11001080 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1386 | 110010CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 138C | 11001074 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1392 | 11001008 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1398 | 11001058 | .text | JMP [static] | Indirect jump to absolute memory address |
| 139E | 11001174 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13A4 | 110010EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 13AA | 110010A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13B0 | 11001100 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13B6 | 1100110C | .text | JMP [static] | Indirect jump to absolute memory address |
| 13BC | 110010B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13C2 | 11001038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13C8 | 11001054 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13CE | 11001108 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13D4 | 11001020 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13DA | 11001124 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13E0 | 11001030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13E6 | 11001150 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13EC | 11001064 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13F2 | 11001184 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13F8 | 1100103C | .text | JMP [static] | Indirect jump to absolute memory address |
| 13FE | 11001130 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1404 | 1100106C | .text | JMP [static] | Indirect jump to absolute memory address |
| 140A | 11001010 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1410 | 110010B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1416 | 11001018 | .text | JMP [static] | Indirect jump to absolute memory address |
| 141C | 11001160 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1422 | 11001014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1428 | 1100116C | .text | JMP [static] | Indirect jump to absolute memory address |
| 142E | 11001060 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1434 | 1100105C | .text | JMP [static] | Indirect jump to absolute memory address |
| 143A | 11001180 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1440 | 11001118 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1446 | 1100104C | .text | JMP [static] | Indirect jump to absolute memory address |
| 144C | 11001120 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1452 | 1100109C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1458 | 110010E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 145E | 11001158 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1464 | 11001098 | .text | JMP [static] | Indirect jump to absolute memory address |
| 146A | 11001164 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1470 | 11001104 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1476 | 11001178 | .text | JMP [static] | Indirect jump to absolute memory address |
| 147C | 11001094 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1482 | 1100114C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1488 | 110010F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 148E | 110010D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1494 | 110010C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 149A | 1100100C | .text | JMP [static] | Indirect jump to absolute memory address |
| 14A0 | 110010C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14A6 | 11001090 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14AC | 110010B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14B2 | 1100111C | .text | JMP [static] | Indirect jump to absolute memory address |
| 14B8 | 11001050 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14BE | 11001134 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14C4 | 11001144 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14CA | 11001140 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14D0 | 11001138 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14D6 | 11001148 | .text | JMP [static] | Indirect jump to absolute memory address |
| 32FC | 43534D00 | .text | CALL [static] | Indirect call to absolute memory address |
| 3835 | 1100101C | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 14255 | 34,8022% |
| Null Byte Code | 21239 | 51,853% |
| NOP Cave Found | 0x9090909090 | Block Count: 10 | Total: 0,061% |
© 2026 All rights reserved.