MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1059.001 PowerShell
The file is a malicious OLE document that exhibits characteristics of an exploit, including a NOP sled and references to Windows API functions like CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress. ClamAV identified it as Win.Exploit.MSWord-6. Although VBA macros could not be extracted due to an unsupported format, the presence of these API calls strongly suggests the document attempts to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Win.Exploit.MSWord-6 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.MSWord-6
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 84,066 bytes but its declared streams total only 26,783 bytes — 57,283 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Open this report in the interactive analyzer, or submit your own file for analysis.