MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059 Command and Scripting Interpreter
The file is an OLE document with a significant slack space anomaly, indicating it might be packed or contain hidden data. A heuristic firing for CreateProcess API suggests the potential execution of external processes. The document body contains references to embedded Office objects (Excel, PowerPoint), which could be used to deliver malicious payloads. However, no specific IOCs like URLs or hashes were extracted, and the exact nature of the payload remains unclear.
Heuristics 2
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 101,376 bytes but its declared streams total only 31,351 bytes — 70,025 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.