Office (OLE) / .DOC malware analysis — malicious · 4ee1c45af3f32084

MALICIOUS

Office (OLE) / .DOC

644.0 KB Created: 2020-01-13 09:40:00 Authoring application: Microsoft Office Word

MD5: bfeaf23e7339855dd886359441cd1db5 SHA-1: 482c989d95ea8a315c2522f773caf6f3e4a8b850 SHA-256: 4ee1c45af3f320847755702eafac8e87f35fa37b5b053b4092ba27e2fcbc756c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell

The sample is a Microsoft Office document containing VBA macros. Heuristics indicate the presence of CreateObject and CallByName functions, commonly used for malicious purposes. The embedded JavaScript is heavily obfuscated, but its structure suggests it's designed to download and execute a secondary payload. The presence of VBA macros and the obfuscated script point towards a downloader or droppper functionality.

Heuristics 4

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9f7d44bbb9a10d50876c722d2ea495c69f2d4b07c2275ac8a72c7c64e897e66d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.