MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file is identified as malicious and contains an embedded PE executable. Heuristics indicate the use of Windows APIs such as CreateProcess and ShellExecute, suggesting the embedded executable is intended to be run. The presence of an embedded executable strongly points towards a downloader or dropper functionality.
Heuristics 8
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.spikko.comButtonText_No&NoCtrlEvtchangeschangesExclamationIconexclamicWindowsType9XWindows
- http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1800\margr1800\margt1440\margb1440\gutter0\rtlsect\rtlgutter
- http://schemas.microsoft.com/office/word/2003/wordml
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00032200.exe6b7596d2f04c23f5ed8a0fdda1fb6a7736351afeafea0ae1eaddf61ecc2589bc |
embedded-pe | Office MZ+PE at offset 0x32200 | 1032704 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.