Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0160375e19e606d0…

MALICIOUS

Office (OLE) / .DOC

1.23 MB Created: 2020-04-24 03:18:00 Authoring application: Microsoft Office Word
MD5: a27a9324d282d920e495832933d486ee SHA-1: 0ab8602cee94f36739b6649467ced514301e58fa SHA-256: 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1
222 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059.005 Visual Basic T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1105 Ingress Tool Transfer T1071.001 Web Protocols

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, indicated by the 'malformed string memory corruption' heuristic. The VBA macro uses LoadLibraryA, GetProcAddress, and VirtualProtect APIs, suggesting it is designed to load and execute a second-stage payload. The embedded URL likely serves as the source for this payload, and the document's nature as a password-protected archive lure further supports a malicious intent to bypass security controls.

Heuristics 7

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://markettrendingcenter.com/lk_job_oppor.docx
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
57aa2907a1c184aa9b02557fa1fc1a465d777848352788a34ff074aee15092e5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 467196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.