MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is an Excel document with a high slack anomaly, indicating potential obfuscation or embedded content. Crucially, it contains an embedded PE executable, flagged by ClamAV as Win.Trojan.Agent-1266464. The presence of ShellExecute and LoadLibrary API calls further suggests the execution of this embedded payload. The document body contains what appears to be a list of names and financial data in Chinese, likely a lure to disguise the malicious intent.
Heuristics 5
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 106,496 bytes but its declared streams total only 34,657 bytes — 71,839 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00008e00.exe |
embedded-pe | Office MZ+PE at offset 0x8E00 | 70144 bytes |
SHA-256: 15e4f091971edf19ae2026ee3226ce3e6144fe981e10427106a03288f98e8dcc |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1266464
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.