Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 155612dca49aaecc…

MALICIOUS

Office (OLE) / .DOCX

132.5 KB Created: 2022-02-10 21:55:00 Authoring application: Microsoft Office Word
MD5: 95d17a8291df74d92096daaf4eb78d7b SHA-1: 4c0ce7fdb17d5fe1f376a1633943de9bb3553dfe SHA-256: 155612dca49aaecc8650f7c65682703f353b72401f323c9c9a6d04de1a814b3d
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The VBA macro utilizes WScript.Shell to create a temporary VBScript file which, in turn, downloads a DLL payload from a hardcoded URL. This payload is then written to disk in the temporary directory. The script's obfuscated nature and its reliance on downloading external content suggest a downloader or droppper functionality, characteristic of many malware families.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
928a0837321910525bff80a38401c7eea4dd5e8bc1ea824df2d8f4eead2ec008		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4262 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.