Office (OLE) / .DOC malware analysis — malicious · 4e8a2b592ed90ed1

MALICIOUS

Office (OLE) / .DOC

154.0 KB Created: 2020-11-18 07:48:00 Authoring application: Microsoft Office Word

MD5: a2707bfb35c9fed11d81949873d3a00a SHA-1: d450b0efac0c3bb84e22270c8d76cc02f000bdcb SHA-256: 4e8a2b592ed90ed13eb604ea2c29bfb3fbc771c799b3615ac84267b85dd26d1c

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro that uses CreateObject. This indicates the macro is designed to execute automatically upon opening the document. The document body explicitly instructs the user to 'enable editing' and 'enable content', a common social engineering tactic to bypass security warnings and execute the malicious payload. The embedded URL is highly suspicious and likely serves as a download or command-and-control endpoint.

Heuristics 7

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cmႬႮႰ჆჈჌ᄮᄰᅂᆀᆂᆊᇔᇖᇠᇢ짖훉짉짖훉³ᔫ띨ꬅᘀ彨䉿
- http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0228dd7d4a976e86394acaf294593bbfeb4dd342d3e0ef5720e1bdbc7160a660`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13575 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.