MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature Win.Trojan.Delf-7648947-0. Static analysis revealed an embedded PE executable, indicating it functions as a dropper. Heuristics also indicate the presence of Metasploit reverse shellcode and API calls commonly used for payload execution and loading, such as VirtualAlloc and LoadLibrary.
Heuristics 7
-
Metasploit reverse_tcp shellcode critical SC_MSF_REVERSEMetasploit reverse_tcp shellcode
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
ClamAV: Win.Trojan.Delf-7648947-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Delf-7648947-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00006000.exe4216c0733609783aa75817f60bdb63d57e1a2af4c6602055d029d548e4149a11 |
embedded-pe | Office MZ+PE at offset 0x6000 | 692224 bytes |
|
Detection
ClamAV:
Win.Trojan.Delf-7648947-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.