MALICIOUS
482
Risk Score
Heuristics 11
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.autohotkey.com In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0006f000.exe |
embedded-pe | Office MZ+PE at offset 0x6F000 | 226304 bytes |
SHA-256: e7a57fd2d6db69765cf240c74bee5e30b5b4d1221c97cb65eb3c5350e575900b |
|||
|
Detection
ClamAV:
Win.Spyware.83214-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.