Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 67602de7ed548204…

MALICIOUS

Office (OLE) / .DOCX

957.5 KB Created: 2001-04-06 08:07:00 Authoring application: Microsoft Office Word
MD5: 1a1ee02161b83b507421e5c659e0426b SHA-1: 9ead99358442843252f8129877795808315867d8 SHA-256: 67602de7ed548204bf11e9a9c3eea372fa7b9e9be33b4c4ef801b466d4240cde
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains critical heuristics indicating the presence of VBA macros that utilize WScript.Shell and the Shell() function. This strongly suggests the macro is designed to execute commands on the host system, likely to download and execute a secondary payload. The presence of WScript.Shell usage points towards potential execution of scripts or external commands.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://tycho.usno.navy.mil/sidereal.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
173914fbc3afc60e33a91b92899c538fd7437a40857f6b0765ce67f37c219a85		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 44710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.