Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 05afc5da1ec75682…

MALICIOUS

Office (OLE) / .DOC

242.4 KB Created: 2020-05-10 16:26:00 Authoring application: Microsoft Office Word
MD5: 3d6f0d2f293c0b10862f939fb98aa23e SHA-1: a2d33b7dfe17e4358979b827c90c5854fac5bece SHA-256: 05afc5da1ec756826b0a73387f135370f293a4bbd22271a1b6462945c836552e
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Code T1204.002 Malicious File

The sample contains VBA macros that leverage CreateObject to execute commands, including references to 'certutil' for potential decoding and 'winmgmts:Win32_Process' and 'Rundll32' for execution. The script attempts to save the document in multiple formats and then execute a task using a constructed string, likely to download and run a second-stage payload. The presence of heap spray and certutil references suggests obfuscation and download capabilities.

Heuristics 6

  • ClamAV: Doc.Dropper.Sagent-9765455-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sagent-9765455-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com0
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bcbe2440a3e3e1f44a2c66d85417677231b2c54dcd7e3307bf4e396757159f4c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1511 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.