MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of XOR-encoded strings, suggesting attempts to hide malicious code. The document body presents itself as an application form for various permits, a common lure for phishing or social engineering attacks. While no scripts were extracted, the XOR encoding and PEB access heuristics point towards a downloader or dropper functionality.
Heuristics 3
-
XOR-encoded strings (key 0x97) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.