Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4351ed3fc65e57ae…

MALICIOUS

Office (OLE) / .DOC

707.5 KB Created: 2020-09-24 03:36:00 Authoring application: Microsoft Office Word
MD5: 2cdd1f0cdbeac5f59dbb3409b723eea7 SHA-1: 7f9dfaf174d5ca46f9a27fef751654edb101f6b3 SHA-256: 4351ed3fc65e57ae9035ae007b5832adf5a6806acb94045802a9126c475bd59e
388 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1106 Native API T1071.001 Web Protocols

The file is a malicious Microsoft Word document containing VBA macros. Heuristics indicate the use of APIs such as CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, suggesting the macro attempts to inject and execute code. The presence of a VBA auto-execution trigger (Workbook_Open) further supports this. The ClamAV detection 'Doc.Macro.Injection-6355574-0' confirms its malicious nature. The extracted artifact 'macros.bas' is likely the malicious VBA code.

Heuristics 11

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Doc.Macro.Injection-6355574-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Injection-6355574-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4639af25a7331788bbf3ac2996df3b4845bf577eccea9e77424290e30ebbeed0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 467582 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1450 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.