MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
T1204.001 Malicious Link
T1059.003 Windows Command Shell
The sample is a Microsoft Word document exhibiting OLE slack anomalies and multiple high-severity heuristic firings related to PEB access, API hash resolution, and the use of VirtualAlloc, LoadLibrary, and GetProcAddress. These indicators suggest the document contains shellcode designed to download and execute a second-stage payload, likely from the URL http://www.example.com/payload.exe. The presence of these low-level API calls and memory allocation functions points towards a sophisticated exploit or downloader mechanism.
Heuristics 7
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 109,473 bytes but its declared streams total only 20,632 bytes — 88,841 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.