MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The document employs a remote support tool lure and a callback phishing lure, instructing the user to contact a support number to resolve a fabricated issue. It also contains a heuristic firing for PowerShell execution, suggesting a malicious script is embedded or referenced. The combination indicates a social engineering attack designed to gain remote access or extract information.
Heuristics 4
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://support.carvir.net/a/tickets/1066733
- https://support.carvir.net/a/tickets/1068469
- https://www.emazzanti.net/
- https://support.carvir.net/a/tickets/1068514
- https://support.carvir.net/a/tickets/1063801
- https://support.carvir.net/a/tickets/1063790
- https://support.carvir.net/a/tickets/1068109
- https://support.carvir.net/a/tickets/1065198
- https://support.carvir.net/a/tickets/1068661
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
- https://teams.microsoft.com/l/message/19:9a2f28f7da35461087de2b150b6e4035@thread.tacv2/1625166888735?tenantId=f2ddb62f-8335-4cc9-9886-175b834e4bf3&groupId=44402e26-469e-4f63-830e-96d4098ac168&parentMessageId=1625166888735&teamName=Global%20SOC%20Team&channelName=Alert-NOC%20Escalation&createdTime=1625166888735
- https://teams.microsoft.com/l/message/19:d7dfa7707e1c4d25b4185fe4079ec270@thread.tacv2/1625169274060?tenantId=f2ddb62f-8335-4cc9-9886-175b834e4bf3&groupId=44402e26-469e-4f63-830e-96d4098ac168&parentMessageId=1625169274060&teamName=Global%20SOC%20Team&channelName=Comms-Support%20Ticket%20Communication&createdTime=1625169274060
- https://teams.microsoft.com/l/meetup-join/19:meeting_Mzc4MWI2Y2UtOTlmNS00NTgzLTlmMGYtOGM1NGNlODNhODdl@thread.v2/0?context=%7B%22Tid%22:%22f2ddb62f-8335-4cc9-9886-175b834e4bf3%22,%22Oid%22:%22da96d263-e1a2-45c1-8158-bab4b5ca234b%22%7D
- https://connectwise.sharepoint.com/:f:/s/WorldwideSOCTeam/EmXrrKrgRQ9PkPMr-PQofGIBbfkHs2ap_l2LqjhxVwx8JQ?e=AMkkSJ
- https://doccenter.itsupport247.net/Content/Cybersecurity%20Incident%20Response%20Handbook.pdf
- https://doccenter.itsupport247.net/Content/Incident%20Response%20Checklist.pdf
- https://carvir-msp.sentinelone.net/incidents/threats/1190686312224218699/overview
- https://carvir-msp.sentinelone.net/incidents/threats/1190682700743918089/overview
- https://carvir-msp.sentinelone.net/incidents/threats/1190681270796629694/overview
- https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview#temporary-disk
- https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview#disk-roles
- https://www.huntress.com/blog/malware-deep-dive-examining-a-powershell-payload
- https://carvir-msp.sentinelone.net
Open this report in the interactive analyzer, or submit your own file for analysis.