MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a legacy Word document containing a WordBasic macro named 'AutoOpen'. The macro presents a "Newsletter Wizard" lure to the user, which is a common social engineering tactic to encourage macro execution. The presence of heap spray and OLE parsing anomalies suggests the document is designed to exploit vulnerabilities or deliver a secondary payload. The macro's intent is likely to download and execute further malicious content.
Heuristics 6
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly00006996 07 pop es 00006997 07 pop es 00006998 07 pop es 00006999 07 pop es 0000699A 07 pop es 0000699B 07 pop es 0000699C 07 pop es 0000699D 07 pop es 0000699E 07 pop es 0000699F 07 pop es 000069A0 07 pop es 000069A1 07 pop es 000069A2 07 pop es 000069A3 07 pop es 000069A4 07 pop es 000069A5 07 pop es 000069A6 07 pop es 000069A7 07 pop es 000069A8 07 pop es 000069A9 07 pop es 000069AA 07 pop es 000069AB 07 pop es 000069AC 07 pop es 000069AD 07 pop es 000069AE 07 pop es 000069AF 07 pop es 000069B0 07 pop es 000069B1 07 pop es 000069B2 07 pop es 000069B3 07 pop es 000069B4 07 pop es 000069B5 07 pop es 000069B6 07 pop es 000069B7 07 pop es 000069B8 07 pop es 000069B9 07 pop es 000069BA 07 pop es 000069BB 07 pop es 000069BC 07 pop es 000069BD 07 pop es 000069BE 07 pop es 000069BF 07 pop es 000069C0 07 pop es 000069C1 07 pop es 000069C2 07 pop es 000069C3 07 pop es 000069C4 07 pop es 000069C5 07 pop es 000069C6 07 pop es 000069C7 07 pop es 000069C8 07 pop es 000069C9 07 pop es 000069CA 07 pop es 000069CB 07 pop es 000069CC 07 pop es 000069CD 07 pop es 000069CE 07 pop es 000069CF 07 pop es 000069D0 07 pop es 000069D1 07 pop es 000069D2 07 pop es 000069D3 07 pop es 000069D4 07 pop es 000069D5 07 pop es 000069D6 07 pop es 000069D7 07 pop es 000069D8 07 pop es 000069D9 07 pop es 000069DA 07 pop es 000069DB 07 pop es 000069DC 07 pop es 000069DD 07 pop es 000069DE 07 pop es 000069DF 07 pop es 000069E0 07 pop es 000069E1 07 pop es 000069E2 07 pop es 000069E3 07 pop es 000069E4 07 pop es 000069E5 07 pop es 000069E6 07 pop es 000069E7 07 pop es 000069E8 07 pop es 000069E9 07 pop es 000069EA 07 pop es 000069EB 07 pop es 000069EC 07 pop es 000069ED 07 pop es 000069EE 07 pop es 000069EF 07 pop es 000069F0 07 pop es 000069F1 07 pop es 000069F2 07 pop es 000069F3 07 pop es 000069F4 07 pop es 000069F5 07 pop es
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 55,171 bytes but its declared streams total only 0 bytes — 55,171 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off00005e7d.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5E7D | 55171 bytes |
SHA-256: b410dc392de4392cfab5149eb2dcc667497aebb8343753c55560cae547edf57c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.