MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1027 Obfuscated Files or Information
The presence of an embedded SWF (Flash) file within the OLE document, coupled with a significant slack space anomaly, strongly indicates malicious intent. The embedded Flash object is likely used to exploit vulnerabilities or deliver a secondary payload. The document body is heavily obfuscated and contains formatting strings, further obscuring its true nature. The unknown reputation URLs warrant further investigation as potential command and control or download sites.
Heuristics 4
-
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWFDocument contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,553,268 bytes but its declared streams total only 56,346 bytes — 1,496,922 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.zone-archive.com
- http://www.hentaikey.com/sys/members/signup.php?referal=7299
- http://www.microsoft.com
- https://www.verisign.com/rpa
- http://ocsp.verisign.com/ocsp/status0
- https://www.verisign.com/rpa0
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
Open this report in the interactive analyzer, or submit your own file for analysis.