Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 63d363caa59a01bd…

MALICIOUS

Office (OLE)

58.5 KB Created: 2001-02-15 08:50:00 Authoring application: Microsoft Word 8.0
MD5: 17b48c91af3f201d3b6d392e736caba5 SHA-1: 236fbecb215b8e7826998fec63153cfe59da1211 SHA-256: 63d363caa59a01bdaa64eb8ddb829052393b3a14198ea0544c519eeb90f2a896
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing VBA macros. The macros attempt to disable virus protection and write a second-stage payload to disk at 'c:\hsf*.sys'. It also attempts to connect to '209.201.88.110' via FTP to download further content to 'c:\netldx.vxd'. The presence of the Shell() call and the download/execution behavior strongly indicate a downloader or droppper.

Heuristics 8

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ae33c390f88d5b6b80c11acfd51b437a9b4c075042d3fe17673abf8c9590d1ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 21175 bytes
Detection
ClamAV: Doc.Trojan.Marker-1
Obfuscation or payload: unlikely
embedded_office_off00005c14.ole
b431dd4128bd7ccb04901f3bf0e48173efd43fbe8c1377919545bc7a98455aa8		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5C14 36332 bytes
embedded_office_off00005ca6.ole
ce314f66630f3ae615380d6a95150fff41511789c725077ce2cd506b3d36d52d		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5CA6 36186 bytes
embedded_office_off00005cc4.ole
9f1e4236b4125d5959d7a01221b61f42777872976921e5ed4bad5c24cc4238a4		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5CC4 36156 bytes
embedded_office_off00005d44.ole
2bb647b1c95e8fdceb50d72221631a54210f31f871665d73cf940d004127e7b6		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5D44 36028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.