Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5b343d8163cc250e…

MALICIOUS

Office (OLE) / .DOC

90.5 KB Created: 2015-11-03 07:55:00 Authoring application: Microsoft Office Word First seen: 2022-04-28
MD5: 274695746758801bfb68f46f79bfb638 SHA-1: af402da50bc5f0e8c84fec3caae8ee8402d641a9 SHA-256: 5b343d8163cc250ecfb56f63c753421decfde5f36c7a7559819129e4a377f464
362 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and a Shell() call, along with a critical finding that VBA downloads and writes a file to disk via HTTP. The autoopen macro is present, suggesting execution upon opening. The embedded URL, though benign according to reputation, is referenced by the macro, indicating its potential use in a download chain.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fd8cbd034dce007c169583032030edac5b1c8e095058aa59cc357065be2bf381		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 107863 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.