Office (OLE) / .DOC malware analysis — malicious · 667f88e8dcd4a155

MALICIOUS

Office (OLE) / .DOC

234.5 KB Created: 2020-05-10 15:31:00 Authoring application: Microsoft Office Word

MD5: 6dbdd1efcab25eaaec2217e9bcbf0718 SHA-1: 8d4782e50282a81c38aed151882647c0ebb3269d SHA-256: 667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate or Reverse-Engineer Malicious Software T1204.002 Malicious File

The sample contains VBA macros that leverage `CreateObject` and string manipulation to construct commands for downloading and saving payloads. Specifically, it appears to use `certutil -decode` and `Rundll32` to process and execute a second-stage payload. The macro attempts to save files as '.xls' and '.pdf' in the C:\Users\Public\ directory, suggesting a dropper functionality.

Heuristics 6

ClamAV: Doc.Dropper.Sagent-9765455-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Sagent-9765455-0
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
Reference to certutil (download/decode) high SC_STR_CERTUTIL

Reference to certutil (download/decode)
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `59c40f8490b9abca7c453578844cfc41a2fd7f3103e93a73ba4db49504b7ecee`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1511 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.