Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7080a3f1e096628a…

MALICIOUS

Office (OLE) / .DOC

113.0 KB Created: 2020-05-16 15:58:00 Authoring application: Microsoft Office Word
MD5: 29dcb8a1ab97f9a30208f7bf9de85253 SHA-1: 22cb566c94548382f35c06288beb4dbd2ae733af SHA-256: 7080a3f1e096628a4b498fba078b2bc9cb3706145e0770de5f43108daa28b0aa
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The presence of the Document_Open macro and references to Windows API functions such as VirtualProtectEx and CreateThread indicate that the macros are designed to execute code, likely to download and run a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.Shellex-8423557-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Shellex-8423557-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6dab5d1b9278dc86547867a652b33dfc314523cf20185ae30a276bbb6690b87e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 29880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.