Office (OLE) / .DOC malware analysis — malicious · 43696690c0e885de

MALICIOUS

Office (OLE) / .DOC

3.64 MB

MD5: 08fff20a68faca29c6bc77a3a4ff7b01 SHA-1: 4e56520b26ad92b3372a180b2706f9b831f5d6fb SHA-256: 43696690c0e885de13f451169000d4b1faf3466021457ce7eacb58a06d28f7af

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.005 Visual Basic T1204.002 Malicious File

The presence of VBA macros, specifically an Auto_Close macro that calls Shell(), indicates malicious intent. The script utilizes cmd.exe to download and execute a payload from the embedded URL http://oscqa.com/dksfjvsd.exe. This is a common pattern for macro-based malware droppers.

Heuristics 8

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://oscqa.com/dksfjvsd.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `03fb719e39b6beb1fd6c76c5cede52b5b199665a647d9cb9e772d360217ae168`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.