MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059 Command and Scripting Interpreter
The sample exhibits high-severity heuristics indicating a heap spray (SC_HEAP_SPRAY) and the use of the CreateProcess API (SC_STR_CREATEPROCESS), suggesting an attempt to execute arbitrary code. The large slack space in the OLE structure (OLE_SLACK_ANOMALY) and the presence of an EMF object within an EPRINT stream (OLE_EPRINT_EMF_OBJECT) are also suspicious. The embedded URL, while not directly used in the observed heuristics, is noted as a potential indicator of compromise.
Heuristics 5
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 110,592 bytes but its declared streams total only 31,351 bytes — 79,241 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.boycottmadeinchina.org
Open this report in the interactive analyzer, or submit your own file for analysis.