MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is identified as a malicious OLE document containing an embedded SWF (Flash) object, suggesting it's designed to exploit vulnerabilities within Flash or deliver a secondary payload. The presence of XOR-encoded strings and a large slack space with an appended payload further indicates malicious intent. While the embedded URL is benign, the overall structure points towards a downloader or exploit delivery mechanism, likely distributed via spearphishing.
Heuristics 5
-
XOR-encoded strings (key 0x85) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0x85: 'GetProcAddress', 'VirtualProtect', 'ShellExecuteA'
Disassembly
Attempted x86 opcode disassembly0000B084 c2e0f1 ret 0xf1e0 0000B087 d5f7 aad 0xf7 0000B089 eae6c4e1e1f7e0 ljmp 0xe0f7:0xe1e1c4e6 0000B090 f6f6 div dh 0000B092 0000 add byte ptr [eax], al 0000B094 e300 jecxz 0xb096 0000B096 c0ebf1 shr bl, 0xf1 0000B099 e0f7 loopne 0xb092 0000B09B c6 .byte 0xc6 0000B09C f7ec imul esp 0000B09E f1 int1 0000B09F ec in al, dx 0000B0A0 e6e4 out 0xe4, al 0000B0A2 e9d6e0e6f1 jmp 0xf1e7917d 0000B0A7 ec in al, dx 0000B0A8 eaeb00004687d3 ljmp 0xd387:0x460000eb 0000B0AF ec in al, dx 0000B0B0 f7f1 div ecx 0000B0B2 f0 .byte 0xf0 0000B0B3 e4e9 in al, 0xe9 0000B0B5 d5f7 aad 0xf7 0000B0B7 eaf1e0e6f10000 ljmp 0:0xf1e6e0f1 0000B0BE 2f das 0000B0BF 84cc test ah, cl 0000B0C1 ebec jmp 0xb0af 0000B0C3 f1 int1 0000B0C4 ec in al, dx 0000B0C5 e4e9 in al, 0xe9 0000B0C7 ec in al, dx 0000B0C8 ffe0 jmp eax 0000B0CA c6 .byte 0xc6 0000B0CB f7ec imul esp 0000B0CD f1 int1 0000B0CE ec in al, dx 0000B0CF e6e4 out 0xe4, al 0000B0D1 e9d6e0e6f1 jmp 0xf1e791ac 0000B0D6 ec in al, dx 0000B0D7 eaeb007200c2e0 ljmp 0xe0c2:0x7200eb 0000B0DE f1 int1 0000B0DF c6 .byte 0xc6 0000B0E0 f0 .byte 0xf0 0000B0E1 f7f7 div edi 0000B0E3 e0 .byte 0xe0
-
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWFDocument contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 375,786 bytes but its declared streams total only 22,169 bytes — 353,617 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://adobe.com/AS3/2006/builtin In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.