MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document that exhibits a large slack space anomaly, suggesting hidden or packed content. Heuristics indicate suspicious use of WinExec, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, along with a direct invocation of cmd.exe with an execution flag. These findings strongly suggest the document is designed to download and execute a second-stage payload, likely exploiting embedded OLE objects.
Heuristics 8
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 152,064 bytes but its declared streams total only 31,351 bytes — 120,713 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.