Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4c26e1d119c3bf85…

MALICIOUS

Office (OLE) / .DOC

33.0 KB Created: 2022-12-23 03:20:00 Authoring application: Microsoft Office Word First seen: 2022-12-23
MD5: 21591ec738614b136246add46b9570a4 SHA-1: c57a2ab85a0325b8f4f275eaa1d33f04d69b0611 SHA-256: 4c26e1d119c3bf85ba71d7c88d91f0d9e252d7daa6d96cbea9d880126aa9a78a
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.003 Windows Command Shell

The sample contains obfuscated VBA macros that are triggered by the AutoOpen function. These macros construct a URL using string concatenation and download a file named 'file.exe' to disk, which is then executed. The document body explicitly instructs the user to enable macros, indicating a social engineering lure to facilitate the execution of the malicious payload.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a28f23fbc440c13682495894c2a61b579d89ef275714c3dc06d97ead10fa62d2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1475 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.