MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of a callback phishing or tech-support scam, as indicated by the 'SE_CALLBACK_LURE' heuristic firing. The document body, though in Chinese, appears to be test data or internal notes rather than a user-facing lure. However, the presence of LoadLibrary and GetProcAddress API calls suggests the document likely contains or drops a malicious payload, potentially exploiting vulnerabilities or executing arbitrary code.
Heuristics 6
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 152,580 bytes but its declared streams total only 31,351 bytes — 121,229 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
Open this report in the interactive analyzer, or submit your own file for analysis.