MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1218 System Binary Proxy Execution
The sample exhibits characteristics of a malicious OLE document, including a large slack space anomaly and references to Windows execution APIs such as WinExec, CreateProcess, and LoadLibrary. The presence of 'SE_LOLBIN_RUN_COMMAND' and 'SC_STR_CMD' heuristics strongly suggests the execution of a command-line payload, likely involving cmd.exe. The document body contains what appears to be test data or metadata rather than a user-facing lure.
Heuristics 8
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 136,192 bytes but its declared streams total only 31,351 bytes — 104,841 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.