MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
T1218 Signed Binary Proxy Execution
The sample exhibits high-confidence heuristic firings related to API hash resolution and PEB access, indicating sophisticated evasion techniques. References to VirtualAlloc, LoadLibrary, and GetProcAddress suggest the code is preparing to dynamically load and execute further malicious code. The large slack space in the OLE structure is also anomalous. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the technical indicators point towards a downloader or dropper.
Heuristics 7
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 74,597 bytes but its declared streams total only 21,151 bytes — 53,446 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.