Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 0d01b24f7666f9bc…

MALICIOUS

Office (OLE) / .DOCX

2.27 MB Created: 2020-04-24 03:18:00 Authoring application: Microsoft Office Word
MD5: 3f326da2affb0f7f2a4c5c95ffc660cc SHA-1: f38abb67d47a4f69536ae67aa9c6df7287c08869 SHA-256: 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a Microsoft Word document that exhibits critical heuristic firings for CVE-2007-3899, a memory corruption vulnerability, and also references APIs commonly used for loading and executing code such as VirtualProtect, LoadLibrary, and GetProcAddress. The presence of VBA macros further supports the execution of malicious code. The document likely attempts to trick the user into opening a password-protected archive, as indicated by the 'SE_PASSWORD_ARCHIVE_LURE' heuristic, which is a common tactic to bypass gateway security. The embedded URL is likely used to download the next stage of the attack.

Heuristics 8

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Malware.Logan-10034467-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Logan-10034467-0
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lm-career.com/careeroppr.docx
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7522494d8ab4fc04d41ab0e48231675da8b8ef1f74f352634a99c84f6c0453c5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1013877 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.