MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1564.003 Obfuscated Files or Information: Hidden Files
The sample is an OOXML document that is encrypted with a default password and exhibits malformed structure, indicating an attempt to hinder analysis. The encryption and malformed nature are strong indicators of malicious intent, likely to conceal a malicious payload or evade detection mechanisms. No specific payload or execution method could be determined due to the heavy obfuscation.
Heuristics 4
-
Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMEDEncrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
-
Encrypted Office package with non-block-aligned cipher high OFFICE_ENCRYPTED_PACKAGE_MALFORMEDEncryptedPackage cipher body is 85,565 bytes — not a multiple of the 16-byte AES block size.
-
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGEOLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
-
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXMLOLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
Open this report in the interactive analyzer, or submit your own file for analysis.