MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the execution of external processes. The document body presents itself as an application form for various permits, likely a lure to engage the user. Without extracted scripts or URLs, the exact execution flow is unclear, but the CreateProcess firing points towards a downloader or dropper.
Heuristics 2
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 73,728 bytes but its declared streams total only 21,308 bytes — 52,420 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.