MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The presence of a VirtualAlloc API reference suggests the execution of code. The document body presents itself as various application forms, a common lure for social engineering. Without extracted scripts or URLs, the exact payload and delivery mechanism remain unclear, leading to a lower confidence score.
Heuristics 2
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 76,622 bytes but its declared streams total only 21,308 bytes — 55,314 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.