MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing an embedded PE executable. Heuristics indicate the use of ShellExecute, URLDownloadToFile, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread APIs, suggesting the document attempts to download and execute a secondary payload. The embedded executable and the URL used for downloading are key indicators of this malicious behavior.
Heuristics 7
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.crazy-japanese.com/g/3546jk.jpg In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00006800.exe |
embedded-pe | Office MZ+PE at offset 0x6800 | 3072 bytes |
SHA-256: 1fb9eb8a0df0f5915a5f45c0ab83cf7f8de27a56874a4e94f830aab2e85a2e3e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.