Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 25b1a6b2d713499b…

MALICIOUS

Office (OLE) / .DOCX

539.5 KB Created: 2021-08-03 10:27:00 Authoring application: Microsoft Office Word
MD5: c6a955feba1b9e85859176043a1a274c SHA-1: 31e397116cb4a2ec8188f9b51c0b980389031689 SHA-256: 25b1a6b2d713499b4d483d782626ff8f8622bfa1b078a6641d2efbe615db1ffd
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_Open' subroutine. This macro attempts to save a file named 'qq.doc' to the user's default template path and then open it. The presence of the 'Document_Open' macro and the file manipulation strongly suggests a malicious intent to deliver a secondary payload or execute further malicious actions. The macro also appears to interact with registry keys related to VBA warnings, potentially attempting to bypass security settings.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c9dd69f59b02fb72a7f9c5f33a81fb63cfcc988dca467df03a1261ca6f1317f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2673 bytes
ole10native_00.bin
8e716354a241893cf79ad19e9a350f37a17b739321766222fb39a459fb87e4bc		 ole-package OLE Ole10Native stream: ObjectPool/_1689466344/Ole10Native 368925 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.