MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample exhibits characteristics of a downloader, indicated by the presence of PEB access, API hash resolution, and references to VirtualAlloc, LoadLibrary, and GetProcAddress. These heuristics suggest the file is designed to dynamically load and execute code. Although the document body is heavily truncated and unreadable, the heuristics strongly point towards a malicious payload delivery mechanism. The benign reputation of the extracted URLs does not negate the malicious indicators from the heuristics.
Heuristics 8
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x43 bytes
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://crl.microsoft.com/pki/crl/products/tspca.crl0H
- http://www.microsoft.com/pki/certs/tspca.crt0
- http://crl.microsoft.com/pki/crl/products/WinIntPCA.crl0U
- http://www.microsoft.com/pki/certs/MicrosoftWinIntPCA.crt0
- http://update.microsoft.com/windowsupdate
Open this report in the interactive analyzer, or submit your own file for analysis.