Malicious Office (OLE) / .DOT — malware analysis report

Static analysis result for SHA-256 635511b8640ac2de…

MALICIOUS

Office (OLE) / .DOT

829.5 KB Created: 2000-06-13 07:16:00 Authoring application: Microsoft Word 8.0
MD5: c4eaa7f8224466c4803456666f78f7a8 SHA-1: e3c571a11b6f6c3e8940cae32c75ce3f5dfa6c4f SHA-256: 635511b8640ac2de89f09557690ae5f38d6bc2a0c85a9c01407068b74d6886bd
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a Microsoft Word template (.DOT) containing a large VBA macro. Heuristics indicate exploitation of CVE-2012-0158 and CVE-2015-0097, and a critical finding of a Shell() call within the Document_Open macro. This suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • ADODB.RecordSet — CVE-2015-0097 high CVE likely CVE_2015_0097
    ADODB.RecordSet — CVE-2015-0097
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5ff4d54da59e73a40b200c109d595988a0f220e0a17679e1837394d1b088f496		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 611706 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.