MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1055.012 Process Hollowing
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
The sample exhibits several high-severity heuristic firings related to PEB access and API hash resolution, suggesting it employs anti-analysis techniques common in malware. The presence of OLE slack anomalies and references to VirtualAlloc, LoadLibrary, and GetProcAddress indicate the likely intent to dynamically load and execute code. Without a document body or scripts, the exact delivery mechanism and payload remain unclear, leading to a lower confidence in family attribution.
Heuristics 7
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 268,826 bytes but its declared streams total only 24,565 bytes — 244,261 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.