MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1555 Credentials from Password Stores
T1027 Obfuscated Files or Information
The sample is a Microsoft Word document with a significant amount of slack space and an embedded PE executable. The document body contains what appears to be legitimate Lithuanian healthcare center information, but it is heavily corrupted with non-readable characters. The embedded executable is the primary indicator of malicious intent, suggesting a delivery mechanism for a secondary payload. One extracted URL points to a JavaScript file, which may be related to the payload delivery or obfuscation.
Heuristics 3
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 65,536 bytes but its declared streams total only 17,048 bytes — 48,488 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://show.textads.lt/scripts/show_ads2.js\
- http://adlt.hit.gemius.pl/_
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00006000.exe34f3e2b980dc99cec85bd20ec3ef6f0b79cf825660431ab5da864aea6a9aeda6 |
embedded-pe | Office MZ+PE at offset 0x6000 | 40960 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.