Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 10

• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• AutoOpen macro high OLE_VBA_AUTOOPEN
  AutoOpen macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Macro/content-enable lure medium SE_ENABLE_LURE
  Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.virsec.de/img/mcafee-rgr.png

  • https://dashdot.de/wp-content/uploads/2018/12/Windows-Logo.jpg
  • https://www.incimages.com/uploaded_files/image/1920x1080/getty_168325476_349217.jpg
  • https://www.mindsetters.com
  • https://uploads-ssl.webflow.com/6152fffd477fccbd0911a851/61584cc521b13c9a8cac5796_mindsetters_circle.png
  • http://schemas.openxmlformats.org/drawingml/2006/main
  • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
  • http://schemas.openxmlformats.org/officeDocument/2006/customXml
  • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
  • https://workbench.redbull.com/departments/information-technology/services/digital-security/tips-to-stay-secure/phishing/
  • http://ec2-34-255-85-35.eu-west-1.compute.amazonaws.com/api/rbuser
  • https://sharevideo.redbull.com/vjs/index.html?r=1\\&accid=1892432914001\\&pid=EyrSk31Tx\\&vid=6113290091001
  • https://sharevideo.redbull.com/vjs/index.html?r=1&accid=1892432914001&pid=EyrSk31Tx&vid=6113290091001
  • http://schemas.microsoft.com/office/2006/metadata/contentType
  • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
  • http://schemas.microsoft.com/office/2006/metadata/properties
  • http://www.w3.org/2001/XMLSchema
  • http://schemas.microsoft.com/office/2006/documentManagement/types
  • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
  • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
  • http://www.w3.org/2001/XMLSchema-instance
  • http://purl.org/dc/elements/1.1/
  • http://purl.org/dc/terms/
  • http://schemas.microsoft.com/internal/obd
  • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
  • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
  • https://sharevideo.redbull.com/vjs/index.html?r=1

Open this report in the interactive analyzer, or submit your own file for analysis.