MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains references to ShellExecute and Windows Script Host, indicating an attempt to execute external commands or scripts. The 'Clipboard command execution lure' heuristic suggests the document instructs the user to copy and paste content into a shell, which is a common social engineering tactic. While no scripts were explicitly extracted, the presence of these indicators and an embedded URL points towards a downloader or initial access mechanism. The OLE slack anomaly suggests potential obfuscation or padding within the file structure.
Heuristics 5
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 74,017 bytes but its declared streams total only 8,298 bytes — 65,719 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.t.net
- http://127.0.0.1
- http://www.google.com
- http://www.ip138.com/index.asp
Open this report in the interactive analyzer, or submit your own file for analysis.