MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1059.006 Python
T1059.010 Java
The sample exhibits high-severity heuristic firings indicating the use of WinExec, CreateProcess, and ShellExecute APIs, suggesting an attempt to execute arbitrary code. A critical heuristic identified XOR-encoded strings (key 0xCE), which are commonly used for obfuscation. The presence of a large slack space anomaly in the OLE structure further supports a suspicious nature. While no document body text was readable, the combination of API calls and obfuscation techniques points to a downloader or dropper functionality.
Heuristics 5
-
XOR-encoded strings (key 0xCE) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xCE: 'CreateProcessA', 'CreateFileA�', 'OpenProcess�', 'RegOpenKeyExA', 'ShellExecuteA'
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 121,182 bytes but its declared streams total only 16,486 bytes — 104,696 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.