Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 635fa07bb2f721de…

MALICIOUS

Office (OLE) / .DOC

1.05 MB Created: 2020-10-13 17:13:00 Authoring application: Microsoft Office Word
MD5: ddf40e788c0e949851e4aadd8d80c943 SHA-1: c0ae488c819740c08dc19863e483b0f14dd2021f SHA-256: 635fa07bb2f721de1e3e551f1ab945b8ddc2d477eb2033dc532f15843af1cefc
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a large VBA macro. The macro references Windows Script Host and likely attempts to download and execute a second-stage payload from the embedded URL. The document body is obfuscated and does not provide clear user-facing content, suggesting a malicious intent behind the macro execution.

Heuristics 3

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.Planet-Source-Code.com/vb/scripts/ShowCode.asp?txtCodeId=6077&lngWId=1
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b448ab78a3a29aaba82505619165687e39faa1130ab19a87c1a569a2d09bb285		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 393623 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.