MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample exhibits high-confidence heuristics for API calls related to process creation and dynamic library loading (CreateProcess, VirtualAlloc, LoadLibrary, GetProcAddress), indicating it likely attempts to execute code. The presence of embedded URLs suggests a downloader functionality, aiming to retrieve and execute a second-stage payload from the listed domains. The OLE slack anomaly further suggests potential obfuscation or padding within the file structure.
Heuristics 7
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 173,984 bytes but its declared streams total only 21,151 bytes — 152,833 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.5iantlavalamp.com/Z
- http://www.5iantlavalamp.com/h
- http://www.5iamas-microsoft-com:office:smarttagsV
- http://www.5iantlavalamp.com/_
- http://www.5iantlavalamp.com/
Open this report in the interactive analyzer, or submit your own file for analysis.