Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 605e0161310e7df7…

MALICIOUS

Office (OLE) / .DOC

1.09 MB Created: 2020-10-08 09:19:00 Authoring application: Microsoft Office Word
MD5: 040414582679593b92863d9c42afb17f SHA-1: 9a5be475d4d27dd8cdc85738577519c94af3de72 SHA-256: 605e0161310e7df7e3842e266d154397e1581c1cf3f5344a6c77b52b345bb480
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.007 System Binary Proxy Execution: Built-in Commands T1105 Ingress Tool Transfer

The VBA macro attempts to create a folder 'C:\Battle', write content to 'C:\Battle\Themes.vbs', and then execute it using 'explorer.exe'. It also references certutil, a utility often used for downloading and decoding payloads. The macro's intent is to download and execute a second-stage payload, as indicated by the use of WshShell.Exec and the creation of a script file.

Heuristics 6

  • ClamAV: Doc.Dropper.Sdrop-9776313-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sdrop-9776313-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://helmut0.dll
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://example.com/download.exe
    • http://download.cdn.mozilla.net/pub/thunderbird/releases/38.6.0/win32/en-US/Thunderbird%20Setup%2038.6.0.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
63e73aad5883080cb5ed19aa44295dfdd6733d430cbbe20f8752cfb4e7d23493		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1307 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.