MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is an OLE document that contains an embedded PE executable. Heuristics indicate the presence of API hashing and LoadLibrary/GetProcAddress, suggesting the embedded executable is likely a malicious payload. The document body is heavily corrupted and unreadable, providing no direct clues about the lure. No VBA macros were extracted, but the embedded executable is the primary indicator of malicious intent.
Heuristics 7
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00018200.exee9df6f5a625dee90c644fcf00032f79cdd8b9e6eb7fbb703321bc632cd70676e |
embedded-pe | Office MZ+PE at offset 0x18200 | 135168 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.