MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1105 Ingress Tool Transfer
The sample is a Microsoft Office document containing an embedded PE executable. Heuristics indicate the presence of APIs commonly used for loading and executing code, such as VirtualAlloc, LoadLibrary, and GetProcAddress. The embedded executable is the primary indicator of malicious intent, suggesting a delivery mechanism for a secondary payload.
Heuristics 6
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
- http://www.microsoft.com/pki/certs/CSPCA.crt0
- http://crl.microsoft.com/pki/crl/products/tspca.crl0H
- http://www.microsoft.com/pki/certs/tspca.crt0
- http://office.microsoft.com
- http://support.microsoft.com/?kbid=xxxxxxPSS10R.CHMERRORSUPPORTTEXT_RETAIL_DEFAULT_PROBLEM_PREIf
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00002400.exe05dc33815f31de4a8ae977bf738be71b6914c252ef6576b32a907b7e7ab05411 |
embedded-pe | Office MZ+PE at offset 0x2400 | 981767 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.