MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The sample exhibits high-severity heuristic firings for CreateProcess and ShellExecute API calls, indicating an attempt to execute external processes. The large slack space in the OLE document suggests potential obfuscation or embedded malicious content. While no specific URLs were flagged as malicious, the presence of these API calls strongly suggests a downloader or dropper functionality. The document body content appears benign, but the underlying structure and API usage point towards malicious intent.
Heuristics 4
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 89,600 bytes but its declared streams total only 21,308 bytes — 68,292 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wicker.senate.gov/public/index.cfm?fuseaction=contact.emailsenatorwicker%
- http://inhofe.senate.gov/contactus.htm
- http://gillibrand.senate.gov/contact
- http://kerry.senate.gov/v3/contact/email.html
- http://boxer.senate.gov/contact/webform.html
- http://feingold.senate.gov/contact_opinion.html$
- http://dodd.senate.gov/webmail
- http://webb.senate.gov/contact
- http://bradsherman.house.gov/sherman/contact
- http://www.house.gov/writerep
Open this report in the interactive analyzer, or submit your own file for analysis.