MALICIOUS
340
Risk Score
Malware Insights
MITRE ATT&CK
T1055 Process Injection
T1055.012 Process Hollowing
The file is an OLE document that exhibits characteristics of a malicious macro-enabled file. Heuristics indicate the use of Windows API functions such as WinExec, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, and LoadLibrary, suggesting the sample attempts to inject and execute code within another process. The large slack space anomaly in the OLE structure further supports the possibility of hidden or packed malicious content.
Heuristics 8
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly00007D55 e800000000 call 0x7d5a 00007D5A 58 pop eax 00007D5B 83c005 add eax, 5 00007D5E c3 ret 00007D5F f3a4 rep movsb byte ptr es:[edi], byte ptr [esi] 00007D61 33c0 xor eax, eax 00007D63 8bcb mov ecx, ebx 00007D65 f3aa rep stosb byte ptr es:[edi], al 00007D67 6a00 push 0 00007D69 ffd2 call edx 00007D6B 50 push eax 00007D6C ffd5 call ebp 00007D6E 8b4f14 mov ecx, dword ptr [edi + 0x14] 00007D71 8b07 mov eax, dword ptr [edi] 00007D73 8bd0 mov edx, eax 00007D75 03d1 add edx, ecx 00007D77 8b5f10 mov ebx, dword ptr [edi + 0x10] 00007D7A 03d9 add ebx, ecx 00007D7C 2bda sub ebx, edx 00007D7E 8b6e18 mov ebp, dword ptr [esi + 0x18] 00007D81 8b561c mov edx, dword ptr [esi + 0x1c] 00007D84 8b7710 mov esi, dword ptr [edi + 0x10] 00007D87 8b3f mov edi, dword ptr [edi] 00007D89 ffe4 jmp esp 00007D8B ff561c call dword ptr [esi + 0x1c] 00007D8E 6a00 push 0 00007D90 ff5618 call dword ptr [esi + 0x18] 00007D93 53 push ebx 00007D94 55 push ebp 00007D95 56 push esi 00007D96 57 push edi 00007D97 368b6c2418 mov ebp, dword ptr ss:[esp + 0x18] 00007D9C 368b453c mov eax, dword ptr ss:[ebp + 0x3c] 00007DA0 368b540578 mov edx, dword ptr ss:[ebp + eax + 0x78] 00007DA5 03d5 add edx, ebp 00007DA7 3e8b4a18 mov ecx, dword ptr ds:[edx + 0x18] 00007DAB 3e8b5a20 mov ebx, dword ptr ds:[edx + 0x20] 00007DAF 03dd add ebx, ebp 00007DB1 e338 jecxz 0x7deb 00007DB3 49 dec ecx 00007DB4 3e .byte 0x3e
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 226,404 bytes but its declared streams total only 29,612 bytes — 196,792 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.