MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is an Office document containing an embedded Portable Executable (PE) file, identified as a critical finding. Heuristics indicate the use of APIs commonly associated with loading and executing code (VirtualAlloc, LoadLibrary, GetProcAddress). The embedded executable is likely the primary payload, intended for delivery via email as suggested by the document's metadata and body content.
Heuristics 5
-
ClamAV: Win.Trojan.Agent-507916 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-507916
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00005000.exe |
embedded-pe | Office MZ+PE at offset 0x5000 | 194048 bytes |
SHA-256: 80b9df4ad11ef62140e5f6acd86eb1ae3887d2e8b1ff8f0e38281ab118f1a4f6 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-507916
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.