MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1071.001 Web Protocols
The sample is an Office document containing an embedded PE executable. Heuristics indicate heap spraying and the use of Windows APIs such as CreateProcess, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used to execute malicious payloads. The document body explicitly states it is an 'Antivirus Bait file', further supporting its malicious nature. The embedded executable is the primary IOC.
Heuristics 9
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00064683 41 inc ecx 00064684 41 inc ecx 00064685 41 inc ecx 00064686 41 inc ecx 00064687 41 inc ecx 00064688 41 inc ecx 00064689 41 inc ecx 0006468A 41 inc ecx 0006468B 41 inc ecx 0006468C 41 inc ecx 0006468D 41 inc ecx 0006468E 41 inc ecx 0006468F 41 inc ecx 00064690 41 inc ecx 00064691 41 inc ecx 00064692 41 inc ecx 00064693 41 inc ecx 00064694 41 inc ecx 00064695 41 inc ecx 00064696 41 inc ecx 00064697 41 inc ecx 00064698 41 inc ecx 00064699 41 inc ecx 0006469A 41 inc ecx 0006469B 41 inc ecx 0006469C 41 inc ecx 0006469D 41 inc ecx 0006469E 41 inc ecx 0006469F 41 inc ecx 000646A0 41 inc ecx 000646A1 41 inc ecx 000646A2 41 inc ecx 000646A3 41 inc ecx 000646A4 41 inc ecx 000646A5 41 inc ecx 000646A6 41 inc ecx 000646A7 41 inc ecx 000646A8 41 inc ecx 000646A9 41 inc ecx 000646AA 41 inc ecx 000646AB 41 inc ecx 000646AC 41 inc ecx 000646AD 41 inc ecx 000646AE 41 inc ecx 000646AF 41 inc ecx 000646B0 41 inc ecx 000646B1 41 inc ecx 000646B2 41 inc ecx 000646B3 41 inc ecx 000646B4 41 inc ecx 000646B5 41 inc ecx 000646B6 41 inc ecx 000646B7 41 inc ecx 000646B8 41 inc ecx 000646B9 41 inc ecx 000646BA 41 inc ecx 000646BB 41 inc ecx 000646BC 41 inc ecx 000646BD 41 inc ecx 000646BE 41 inc ecx 000646BF 41 inc ecx 000646C0 41 inc ecx 000646C1 41 inc ecx 000646C2 41 inc ecx 000646C3 41 inc ecx 000646C4 41 inc ecx 000646C5 41 inc ecx 000646C6 41 inc ecx 000646C7 41 inc ecx 000646C8 41 inc ecx 000646C9 41 inc ecx 000646CA 41 inc ecx 000646CB 41 inc ecx 000646CC 41 inc ecx 000646CD 41 inc ecx 000646CE 41 inc ecx 000646CF 41 inc ecx 000646D0 41 inc ecx 000646D1 41 inc ecx 000646D2 41 inc ecx 000646D3 41 inc ecx 000646D4 41 inc ecx 000646D5 41 inc ecx 000646D6 41 inc ecx 000646D7 41 inc ecx 000646D8 41 inc ecx 000646D9 41 inc ecx 000646DA 41 inc ecx 000646DB 41 inc ecx 000646DC 41 inc ecx 000646DD 41 inc ecx 000646DE 41 inc ecx 000646DF 41 inc ecx 000646E0 41 inc ecx 000646E1 41 inc ecx 000646E2 41 inc ecx
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 942,465 bytes but its declared streams total only 12,288 bytes — 930,177 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly00064683 41 inc ecx 00064684 41 inc ecx 00064685 41 inc ecx 00064686 41 inc ecx 00064687 41 inc ecx 00064688 41 inc ecx 00064689 41 inc ecx 0006468A 41 inc ecx 0006468B 41 inc ecx 0006468C 41 inc ecx 0006468D 41 inc ecx 0006468E 41 inc ecx 0006468F 41 inc ecx 00064690 41 inc ecx 00064691 41 inc ecx 00064692 41 inc ecx 00064693 41 inc ecx 00064694 41 inc ecx 00064695 41 inc ecx 00064696 41 inc ecx 00064697 41 inc ecx 00064698 41 inc ecx 00064699 41 inc ecx 0006469A 41 inc ecx 0006469B 41 inc ecx 0006469C 41 inc ecx 0006469D 41 inc ecx 0006469E 41 inc ecx 0006469F 41 inc ecx 000646A0 41 inc ecx 000646A1 41 inc ecx 000646A2 41 inc ecx 000646A3 41 inc ecx 000646A4 41 inc ecx 000646A5 41 inc ecx 000646A6 41 inc ecx 000646A7 41 inc ecx 000646A8 41 inc ecx 000646A9 41 inc ecx 000646AA 41 inc ecx 000646AB 41 inc ecx 000646AC 41 inc ecx 000646AD 41 inc ecx 000646AE 41 inc ecx 000646AF 41 inc ecx 000646B0 41 inc ecx 000646B1 41 inc ecx 000646B2 41 inc ecx 000646B3 41 inc ecx 000646B4 41 inc ecx 000646B5 41 inc ecx 000646B6 41 inc ecx 000646B7 41 inc ecx 000646B8 41 inc ecx 000646B9 41 inc ecx 000646BA 41 inc ecx 000646BB 41 inc ecx 000646BC 41 inc ecx 000646BD 41 inc ecx 000646BE 41 inc ecx 000646BF 41 inc ecx 000646C0 41 inc ecx 000646C1 41 inc ecx 000646C2 41 inc ecx 000646C3 41 inc ecx 000646C4 41 inc ecx 000646C5 41 inc ecx 000646C6 41 inc ecx 000646C7 41 inc ecx 000646C8 41 inc ecx 000646C9 41 inc ecx 000646CA 41 inc ecx 000646CB 41 inc ecx 000646CC 41 inc ecx 000646CD 41 inc ecx 000646CE 41 inc ecx 000646CF 41 inc ecx 000646D0 41 inc ecx 000646D1 41 inc ecx 000646D2 41 inc ecx 000646D3 41 inc ecx 000646D4 41 inc ecx 000646D5 41 inc ecx 000646D6 41 inc ecx 000646D7 41 inc ecx 000646D8 41 inc ecx 000646D9 41 inc ecx 000646DA 41 inc ecx 000646DB 41 inc ecx 000646DC 41 inc ecx 000646DD 41 inc ecx 000646DE 41 inc ecx 000646DF 41 inc ecx 000646E0 41 inc ecx 000646E1 41 inc ecx 000646E2 41 inc ecx
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 In document text (OLE body)
- http://www.nirsoft.net/articles/saved_password_location.htmlIn document text (OLE body)
- http://www.nirsoft.net/utils/internet_explorer_password.htmlIn document text (OLE body)
- http://www.mozilla.org/MPL/In document text (OLE body)
- http://www.json.org/In document text (OLE body)
- http://www.json.org/json.jsIn document text (OLE body)
- http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
- http://office.microsoft.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0007b859.exe |
embedded-pe | Office MZ+PE at offset 0x7B859 | 436520 bytes |
SHA-256: 85dbd47103dfc1a67cdc6f360be72f2e2edcaeb290a9f00c0c15dafb3e9a0c75 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.