Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6d3c39976ec6f4bf…

MALICIOUS

Office (OLE) / .DOC

44.5 KB Created: 2003-02-19 01:58:03
MD5: 5040ef90824371a0bd0acaa36263553b SHA-1: 7f496b7947ae4f78e67a68a1bdd24e6308d9f055 SHA-256: 6d3c39976ec6f4bf43f4cce7cbe52a5f83b1732fb97a9a521db9c57db2ba3bd5
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The macros utilize functions like VirtualAlloc, CreateThread, and RtlMoveMemory, indicating an attempt to allocate memory and execute arbitrary code. This is consistent with a dropper or downloader functionality, where the primary goal is to fetch and execute a secondary stage payload. The presence of AutoOpen and Workbook_Open macros suggests an attempt to automatically execute the malicious code upon opening the document.

Heuristics 6

  • ClamAV: Doc.Dropper.Valyria-6680543-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6680543-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
22b1cebb884ddbcfe92903015e53c2a43f482f69a3e55296bc6b7126cb67605b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3155 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.