Office (OLE) / .DOC malware analysis — malicious · 2a36f4f8d0bd6b9c

MALICIOUS

Office (OLE) / .DOC

351.5 KB Created: 2018-06-15 08:56:00 Authoring application: Microsoft Office Word First seen: 2023-04-19

MD5: 876305f36263bd3a515da037981f0f36 SHA-1: a1a43980517c3862eeb2c23953031e0be96ebfc3 SHA-256: 2a36f4f8d0bd6b9c48e6d7767ab2408e52a3eac20809e22b42b09130c4d9e662

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer

The AutoOpen macro executes a PowerShell command that downloads and runs a script from a remote URL. The script is obfuscated using string concatenation, but the reconstructed URL is 'https://bienenstock.eastus.cloudapp.azure.com/beeshell/admin/ui/../ui_plugins/100_iex-generator/beeshell.ps1'. The document body, though heavily corrupted, suggests a lure related to document repair or a new version request.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://www.iec.ch
- http://schemas.openxmlformats.org/drawingml/2006/main
- https://bienenstock.eastus.cloudapp.azure.com/beeshell/admin/ui/../ui_plugins/100_iex-generator/beeshell.ps1

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fc7ea0678aeb131ce76d7161261a941c4f479def4d65ce8e8f37d75c29fafc88`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1055 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.