MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains an embedded OLE object that, when processed, reveals a PowerShell script. This script is designed to download a file from 'http://www.sunamien.jp/cgi/up/uploader.cgi?mode=downld&no=55' to 'C:\Users\Public\Downloads\python312x86.zip', then move it to the user's AppData\Roaming\Templates directory. Finally, it attempts to extract the archive and execute 'Protected.py' using 'pythonw.exe', indicating a multi-stage infection process. The presence of Equation Editor and suspicious command-line invocations further supports this malicious intent.
Heuristics 6
-
Equation Editor OLE object high OLE_EQUATION_EDITORContains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 16,384 bytes but its declared streams total only 0 bytes — 16,384 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.sunamien.jp/cgi/up/uploader.cgi?mode=downld&no=55
Open this report in the interactive analyzer, or submit your own file for analysis.