MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is a PowerPoint file identified as malicious due to the presence of an embedded PE executable. Heuristics indicate the use of APIs such as CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the embedded executable is designed to run and potentially load additional malicious code. The embedded URL, while seemingly benign, could be a lure or part of a broader infrastructure. The document body discusses sex education, which is likely a pretext to disguise the malicious nature of the file.
Heuristics 7
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.amsa.org/hp/sexed.cfm2
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00007918.exe86213d1a25750d858f485998b1801afc5c9446342269086ff32ca33ee1f0cdf8 |
embedded-pe | Office MZ+PE at offset 0x7918 | 105192 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.