MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a PowerPoint file (PPS) identified by ClamAV as Win.Trojan.Bifrose-19335. It contains an embedded PE executable, indicating a likely delivery mechanism for a secondary malicious payload. The heuristics for PEB access and API hash resolution suggest anti-analysis techniques commonly employed by trojans.
Heuristics 7
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
ClamAV: Win.Trojan.Bifrose-19335 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Bifrose-19335
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00003678.exeb308fc55e8d3d085fe5a8f8584de6952038ab45d94c7ccac2d85e06a046cc4d1 |
embedded-pe | Office MZ+PE at offset 0x3678 | 399752 bytes |
|
Detection
ClamAV:
Win.Trojan.Bifrose-19335
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.