MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The sample is identified as a suspicious Office document masquerading as an Access database, indicated by the ACCESS_MASQUERADE_DROPPER heuristic. While VBA macros could not be extracted due to an unsupported format, the presence of embedded URLs suggests a delivery mechanism. The file's true intent is likely to download and execute a secondary payload, but the specific nature of this payload cannot be determined without further analysis of the embedded content.
Heuristics 3
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 40,867 bytes but its declared streams total only 56 bytes — 40,811 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDThe Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off0001205d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x1205D | 40867 bytes |
SHA-256: 3a294c4938a6450c65063c3489bc8ec983ef4c57a73037945da5d1e841bb399c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.