Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 02f1ee5e947db5bc…

MALICIOUS

Office (OLE) / .DOCX

957.5 KB Created: 2001-04-06 08:07:00 Authoring application: Microsoft Office Word
MD5: 19c10acbf84ea17e539ae22d48c3335c SHA-1: 040cbd9f5366207f28c30d38885d59d43044c6b9 SHA-256: 02f1ee5e947db5bc92befa3c062e21592c5764775eee75c4b168f2466e1c1913
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that utilize WScript.Shell and the Shell() function, indicating an intent to execute arbitrary commands. The presence of these functions strongly suggests the macro is designed to download and execute a secondary payload. While the specific payload is not visible due to truncation, the overall pattern is consistent with a macro-based downloader.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://tycho.usno.navy.mil/sidereal.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
173914fbc3afc60e33a91b92899c538fd7437a40857f6b0765ce67f37c219a85		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 44710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.