MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Office document containing an embedded PE executable, detected by ClamAV as Win.Trojan.Agent-1266464. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress APIs, common in malware execution. The document body, though in Chinese and related to payment information, serves as a lure. The embedded executable is the primary indicator of malicious intent.
Heuristics 4
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0002ee00.exe |
embedded-pe | Office MZ+PE at offset 0x2EE00 | 70144 bytes |
SHA-256: 7f1487bb6361d6e8a0ffa4418a0edc7e343a1b9afa37f3a953dd97a27a84aeaf |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1266464
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.