MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The sample is an OLE document with a high degree of slack space, indicating potential obfuscation or embedded malicious content. A heuristic firing indicates a reference to the CreateProcess API, suggesting an attempt to launch an external process. No document body text or scripts were extracted to further clarify the intent. The confidence is lowered due to the lack of specific script or body content to confirm the exact nature of the execution.
Heuristics 3
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 172,960 bytes but its declared streams total only 21,151 bytes — 151,809 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
Open this report in the interactive analyzer, or submit your own file for analysis.