Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 29d6f55d77cfaaff…

MALICIOUS

Office (OLE) / .DOC

525.5 KB Created: 2020-12-09 15:12:00 Authoring application: Microsoft Office Word
MD5: 282e8584e65fd7357a90d9db674c7f83 SHA-1: a7768f18bff4cbbe0cfc890b29e6be668e2eaf19 SHA-256: 29d6f55d77cfaafffc94eb126fa91b771fe2eb6da1ef12595f92f350aa3bc473
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that uses GetObject and WScript references, indicating an attempt to execute malicious code upon opening. The script likely downloads and executes a second-stage payload from one of the numerous embedded URLs. The obfuscated document body and the nature of the heuristics strongly suggest a malicious intent, though the specific family could not be determined.

Heuristics 8

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pinkafricafoundation.org/wp/wp-includes/sodium_compat/namespaced/Core/kOTplLLYoykYUO.php
    • http://thefootwearhub.in/wp-content/themes/bc-shop/woocommerce/cart/47sjnJ339dm8Ox6.php
    • http://www.pmvillaluz.com/wp-content/themes/portfolio-web/acmethemes/at-theme-info/LOLQJGxsh.php
    • http://pakistandairyfarm.com/ajax.googleapis.com/ajax/libs/jquery/1.11.1/cKQwnaER.php
    • https://atpcsm.be/wp-content/themes/itheme2/uploads/bg/x4VjHcdiNB.php
    • https://nexi-verifica-info.spadmelk.com/gn78sN36HuSxG.php
    • http://saraceninvestments.co.uk/wp-content/plugins/wp-retina-2x/vendor/bin/Y2aqQDIDFm81vq.php
    • http://fundacionzaranda.co/wp-includes/js/tinymce/themes/inlite/RaY6NGEvaBP0C.php
    • https://cdn.examdunia.com/site/js/jquery.fileupload/vendor/4L35hbtOn.php
    • https://adammusic.vn/wp-content/plugins/eventON/lang/languages/eKZDGsy97Jp9VK.php
    • https://mijn3.easyofficeonline.nl/bundles/sensiodistribution/webconfigurator/css/1Dfa5M7uGum.php
    • http://avinotab.com.au/old_files/generated/code/Magento/Backend/KDf27PhrR.php
    • https://lnx.bernardolegnami.it/wp/wp-content/uploads/grid-gallery/cache/D0N6TwJYr.php
    • https://majuwaagencies.sysnavtechnologies.mobi.ke/USodLM3p.php
    • http://lokmartindia.com/wp-content/themes/business-store/template-parts/header/c8wIHrNGcNSPTG.php
    • http://acceso.duward.es/class/dat/pdfClass/font/makefont/lZhTcuFaHNgOGF.php
    • https://lataperiautrera.com/6ddzbE5G.php
    • https://stump.rgstage.com/wp-content/plugins/woocommerce-services/classes/wc-api-dev/GEiCfOf8mOO8.php
    • http://www.arch-arts.com/wp-includes/js/tinymce/skins/lightgray/3Bb2Oi14dK.php
    • https://farmlyfairng.com/cJsrzmqM0Joawf.php
    • http://stock.laboratoriostabbler.com/1GTEoDCvKgaim.php
    • http://slnewsflash.com/soojaya.lk/wp-content/plugins/wp-file-manager/classes/UNGKTIg9eI6Qm.php
    • https://theme.digiwebsolusindo.com/webbisnis/wp-content/plugins/envato-market/css/XHa29kWGCb.php
    • http://www.housecleaningacblondon.com/wp-content/plugins/wp-file-manager/inc/images/RexD5jVC8Amd.php
    • http://frijolesmagicos.com/wp-content/plugins/buddypress/bp-messages/actions/TBzYBNEbdY.php
    • http://zisokamberaj.com/wp-content/plugins/updraftplus/vendor/aws/4da9qRYF96.php
    • http://conciergeandco.co.uk/new/wp-content/uploads/2019/09/FfMJGM0xF.php
    • https://beta.co.tz/nzdoQb5t7X4.php
    • https://mail.lotus-h.id/yyokW9BVY5hP.php
    • http://amargroup.co.in/H3uMNBhqvl62y.php
    • https://plus.inovento.com/assets_old/plugins/fancybox/demo/ubp05Edi5.php
    • http://dukan24-7.pk/wp-content/plugins/header-footer-elementor/inc/compatibility/W6w90RBW0Dx.php
    • http://assets.helloguide.com/images/galleries/outdoor-activities/canyoning/Tb6n29aarbZVW9.php
    • http://mail.rsfileencryption.com/wp-content/uploads/2017/01/dPdBXbR0Lqqerts.php
    • https://camaracomercioexterior.info/wp-content/plugins/redirection/database/schema/fKxEE7hM3dh.php
    • https://alegsanatate.ro/Hs63TA2BBq7.php
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://www.w3.org/1999/XSL/Transform
    • http://soundhire.atwebpages.com/wordpress/wp-content/plugins/wordpress-importer/languages/fXt7XKyhDji.php

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
45c57575ad5a55149ed5740315895328ec106e4eae61e61bbe70d38fffc66e78		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 18546 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 125 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.