MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1105 Ingress Tool Transfer
The critical heuristic 'OLE_EMBEDDED_EXE' indicates the presence of a Portable Executable (PE) file embedded within the OLE document. High-severity heuristics like 'SC_PEB_ACCESS', 'SC_STR_LOADLIBRARY', and 'SC_STR_GETPROCADDRESS' point towards the execution of shellcode or a loader designed to interact with the Windows operating system and load further components. The embedded executable is the primary indicator of malicious intent, likely serving as the initial stage of a multi-stage attack.
Heuristics 6
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 206,336 bytes but its declared streams total only 123,700 bytes — 82,636 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0001ec00.exed1aa35d94be203250412f04f828e1c292086db9a344777860405a3a255c21d72 |
embedded-pe | Office MZ+PE at offset 0x1EC00 | 80384 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.