Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5ca2160894621ed2…

MALICIOUS

Office (OLE) / .DOC

137.5 KB Created: 2020-10-08 09:19:00 Authoring application: Microsoft Office Word
MD5: 4ab4f7fa01c52bc840a4af797c22315b SHA-1: cab3b73d1a4aacbd6a0f47506e39b5fc3bfbb26d SHA-256: 5ca2160894621ed245dec359fbdbde7808a2e99197d850836ae5516af09bc514
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample contains VBA macros that, when executed, attempt to create a folder 'C:\Battle', write a script to 'C:\Battle\Themes.vbs', and then execute it using 'explorer.exe'. The script also attempts to delete the 'C:\Battle' folder. The embedded URL 'http://helmut01.tech017.net.in/bomb.dll' is likely the source of the payload. The ClamAV detection 'Doc.Dropper.Sdrop-9776313-0' further supports its malicious nature as a dropper.

Heuristics 5

  • ClamAV: Doc.Dropper.Sdrop-9776313-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sdrop-9776313-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://helmut01.tech017.net.in/bomb.dll
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://example.com/download.exe
    • http://download.cdn.mozilla.net/pub/thunderbird/releases/38.6.0/win32/en-US/Thunderbird%20Setup%2038.6.0.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a123f076386ea5a54a46457774dc5b36c97dc61cef4774547ae11cda8a12d7e5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1307 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.