MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1055 Process Injection
T1105 Ingress Tool Transfer
The sample exhibits high-confidence heuristics related to process injection (WriteProcessMemory, CreateRemoteThread) and dynamic execution (CreateProcess, VirtualAlloc, VirtualProtect, GetProcAddress). The presence of a large slack space anomaly in the OLE structure is also noted. These indicators suggest the document is designed to download and execute a second-stage payload, likely exploiting a vulnerability to achieve this. No specific family could be identified.
Heuristics 8
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 142,508 bytes but its declared streams total only 21,151 bytes — 121,357 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Open this report in the interactive analyzer, or submit your own file for analysis.