MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This Office document contains an embedded PE executable (i.exe) which is flagged as a critical finding. The document also references WinExec and VirtualAlloc APIs, suggesting the execution of external code. The embedded executable is likely a secondary payload dropped by the document, indicating a malicious dropper functionality.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6586737-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6586737-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0004262e.exe |
embedded-pe | Office MZ+PE at offset 0x4262E | 88530 bytes |
SHA-256: 79a92ce1c055fc6d65eb9175208a32b80615062d3cd0dce76e6d397a8658479e |
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_983547946/Ole10Native | 41572 bytes |
SHA-256: f73fab84adc922b6ff9eed356986d3e143c0e76353c042aeb7c6470cd7a8b2f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.