Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 21360cb095ead182…

MALICIOUS

Office (OLE) / .DOC

46.5 KB Created: 2022-07-17 09:25:00 Authoring application: Microsoft Office Word First seen: 2022-11-29
MD5: 3d862b2bb9cd8ccce4e3329a09d3da5f SHA-1: 570acfe13f3bf37ff370ade08ddbb361fc2d840e SHA-256: 21360cb095ead182c21d9203b9d619e6b57f1dacdfefa6b9499173f8c5e3adc5
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1055 Process Injection T1055.012 Process Hollowing

The sample contains VBA macros that trigger critical heuristics related to process injection (WriteProcessMemory, CreateRemoteThread). The AutoOpen and Workbook_Open macros indicate an attempt to automatically execute malicious code upon opening the document. The script uses Windows API calls like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, suggesting it aims to inject code into a running process. No specific family could be identified, but the technique is common for malware delivery.

Heuristics 11

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Doc.Malware.Valyria-10012625-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10012625-0
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f718ffa2e16d367987b11887b8fdffa0665f5893d7458d2dc270075a6b33a008		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7885 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.