Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2d229a302ecfdb8e…

MALICIOUS

Office (OLE) / .DOC

161.0 KB Created: 2020-12-16 13:52:00 Authoring application: Microsoft Office Word
MD5: 5522b698846ce0db6cd7e0ff2511ad93 SHA-1: 49306991945799af7ccd756f0966e0d6a2fb3739 SHA-256: 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is detected as a downloader by ClamAV. Heuristics indicate the presence of Windows Script Host references and VBA auto-execution, suggesting the document attempts to run malicious code. Although VBA macros could not be extracted, the presence of embedded URLs points to a likely download and execution chain. The specific URLs are suspicious and likely host the secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.GiftVoucher-9845924-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.GiftVoucher-9845924-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.xaqan.co/wp-admin/6MhAB8xj.php
    • http://smileclothingofficial.com/AJEW0NzyHw48dR.php
    • https://solodarydar.net/wFXyt8RWl3N.php
    • http://sfcityofchampions.com/wp-content/themes/twentyseventeen/template-parts/footer/ICTmBubzh0aplqS.php
    • https://winnercircle.it/wp-content/plugins/astra-addon/classes/cache/8CNok0vJL.php
    • https://elitechauffeurservices.ro/wp-content/plugins/wordpress-seo/vendor/composer/Aa02pG3neWNo.php
    • http://www.petro7.com.sa/focuson/wp-content/plugins/elementskit/compatibility/KaaNDKtIaX0sh.php
    • https://puchoff.com/C40/resource/dpr_2.0/content/dam/ofuhIB4wKU2.php
    • https://straitofgaming.com/phpmyadmin/js/vendor/openlayers/img/Oj9a5ggSO8V4S.php
    • https://elegenttrucking.co.zw/EPODYDRaRi.php
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://www.w3.org/1999/XSL/Transform

Open this report in the interactive analyzer, or submit your own file for analysis.