Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 471af6dd32cf6e16…

MALICIOUS

Office (OLE) / .DOC

86.9 KB
MD5: 09f1cb1a024170d7e35ccd536b5dc33b SHA-1: 361ac27d775950ae28199c665626cf260dec9a65 SHA-256: 471af6dd32cf6e161f17bacb433193db75a84f8c5510214c4f28898a4bf35b8a
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The critical heuristic firing for Shell() calls in VBA, combined with cmd.exe references, indicates the macro is designed to execute commands. The VBA script explicitly writes content to a file named 'lengthNextGen.hta' in the ProgramData directory and then executes it using cmd.exe via the Shell() function. This strongly suggests the macro's purpose is to download and run a second-stage payload, likely an HTA file, which is a common delivery mechanism for malware.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/aml/2001/core
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/word/2003/wordml
    • http://schemas.microsoft.com/office/word/2003/auxHint
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2003/wordml/sp2
    • http://schemas.microsoft.com/schemaLibrary/2003/core

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1fd04235f8fde81dc8b01d4d82ac17b1fddce815e71b774d7fb81ba5a211ea17		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 853 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.