MALICIOUS
380
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1055.012 Process Hollowing
T1055.001 Process Injection
The sample exhibits critical heuristic firings for WriteProcessMemory and CreateRemoteThread, indicating process injection techniques. It also references WinExec, CreateProcess, VirtualAlloc, VirtualProtect, and GetProcAddress, suggesting a complex payload execution chain. The ClamAV detection of 'Win.Trojan.Inject-351' further supports a malicious classification. The document body content appears to be unrelated filler text, and no scripts were extracted.
Heuristics 10
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
ClamAV: Win.Trojan.Inject-351 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Inject-351
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.apple.com/DTDs/PropertyList-1.0.dtd
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/
Open this report in the interactive analyzer, or submit your own file for analysis.