MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
T1218 Signed Binary Proxy Execution
The document contains urgency lures, suggesting a phishing or scam attempt. High-severity heuristics indicate the use of PEB access and API hash resolution, common in malware for evading detection. References to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress suggest dynamic code loading and execution. The embedded URL likely leads to a malicious payload download. The document body is heavily obfuscated and unreadable, further supporting a malicious intent.
Heuristics 8
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upiasia.com/columnist/plas_rapid_reaction_capability_in_tibet/
Open this report in the interactive analyzer, or submit your own file for analysis.