MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The file is an Office document that contains embedded URLs and triggers heuristics related to PowerShell and command execution. Specifically, it references PowerShell and contains the command sequence 'cmd/c powershell -executionpolicy bypass -W Hidden -command', indicating an attempt to execute a malicious script. The embedded URLs likely serve as sources for downloading additional malicious content.
Heuristics 3
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://jkpjebc.xyz\ In document text (OLE body)
- https://raw.githubusercontent.com/eltakikim/m301xw/gh-pages/7q32waci9riv2.jpg\In document text (OLE body)
- http://jkpjebc.xyzIn document text (OLE body)
- https://raw.githubusercontent.com/eltakikim/m301xw/gh-pages/7q32waci9riv2.jpgIn document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.