MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1105 Ingress Tool Transfer
The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the presence of API hashing and LoadLibrary/GetProcAddress, suggesting the embedded executable is designed to dynamically load its functionality. The analysis timed out, but the primary finding is the embedded executable, which is a common delivery mechanism for second-stage payloads.
Heuristics 8
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
-
Analysis timed out (partial result) info ANALYSIS_TIMEOUT_PARTIALAnalysis exceeded the wall-clock timeout. Heuristics emitted by completed phases are preserved; phases interrupted mid-execution may have missed findings.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00018200.exe6b0da4a9075dde8dd1e20144c18e284bb11ccfe0f7662bc1b144b5c8c56faae9 |
embedded-pe | Office MZ+PE at offset 0x18200 | 135169 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.