MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or gain elevated privileges. While no specific scripts were extracted, the document body contains VBA-like functions such as 'CreateFileW', 'WriteFile', 'WinExec', and 'CloseHandle', strongly indicating that the document contains embedded VBA macros designed to download and execute a second-stage payload. The benign reputation of the extracted URLs means they are unlikely to be the direct download source.
Heuristics 3
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 75,264 bytes but its declared streams total only 16,486 bytes — 58,778 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.earthtimes.org/articles/show/311866,india-pledges-improved-relations-if-pakistan-acts-against-terrorism.html#ixzz0gv9sloG0
- http://schemas.openxmlformats.org/drawingml/2006/main
Open this report in the interactive analyzer, or submit your own file for analysis.