Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4e199829344b5f85…

MALICIOUS

Office (OLE) / .DOC

521.5 KB Created: 2021-09-08 12:02:00
MD5: 0a832cd8e3a03edec222c5e439fc8745 SHA-1: e01983f1a0c55a42322c290696ba7c7a7bbe87a0 SHA-256: 4e199829344b5f85afad39d52c753e6d3aae1e3da7f3ab8a0dd057f1b705d0db
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious DOC file containing VBA macros. The Document_Open macro is triggered upon opening the document, which then attempts to copy its content and save it as 'reform.doc' with the password '2281337' in the user's template path. It also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The VBA code is partially obfuscated, but the intent to download and execute a payload is clear.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0a06014613143cbe2a99a6668797fa75d777745e4cb0cc3d3e516c00f52b7709		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2886 bytes
ole10native_00.bin
c14c2950f2bf2b0b9f45bae327f4a499e0e0703355490ddb15278dfc2f446340		 ole-package OLE Ole10Native stream: ObjectPool/_1692582292/Ole10Native 340801 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.