MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The document contains a lure for recovery secrets or private keys, indicating a phishing or social engineering attempt. It also includes an embedded OLE object and references to 'wget' commands, suggesting the download and execution of external scripts or payloads. The presence of shellcode API strings and a command to download a shell script from GitHub further supports this. The overall goal appears to be to trick the user into divulging sensitive information or executing malicious code.
Heuristics 6
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKSDocument contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh Document hyperlink
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 259584 bytes |
SHA-256: 5ec095780ebcabdce8f577d312809e740d5adcfcb97cdf1c62949541c8fa28c4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_CMD, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress, CreateProcessA Static shellcode analysis recovered command string(s): cmd.exe
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.