Office (OLE) / .DOC malware analysis — malicious · 11a6912a856c6ff9

MALICIOUS

Office (OLE) / .DOC

220.0 KB Created: 2020-04-27 09:40:00 Authoring application: Microsoft Office Word

MD5: d2874e671ceb5570e2c6980ce621ecc2 SHA-1: 4ba368e6211fc7add55884c3fae2632087a8513b SHA-256: 11a6912a856c6ff90996fea0f4c706b7f6d0998c8ad7b033e5f8329c8666543d

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but references WinExec API and includes a Document_Open subroutine, indicating it is designed to execute code upon opening. The obfuscated nature and API calls suggest it's a downloader for a second-stage payload. No specific family could be identified.

Heuristics 5

ClamAV: Doc.Malware.Generic-8011099-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-8011099-0
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6570e3eab448589fb960a3251a8b7aefec97f0eb138b9f2081cd9189bbbdfa28`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31163 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.