MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an OLE document with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of embedded OLE objects and a reference to the CreateProcess API suggest the file is designed to execute code or launch other applications. The EMF object within the EPRINT stream is also a suspicious indicator.
Heuristics 3
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 110,592 bytes but its declared streams total only 31,351 bytes — 79,241 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.