Office (OLE) / .DOC malware analysis — malicious · 70d439b693fc58ac

MALICIOUS

Office (OLE) / .DOC

239.0 KB Created: 2021-02-23 10:15:00 Authoring application: Microsoft Office Word

MD5: ae00b98039cebe5ef6e576d9c9d708ac SHA-1: cb36fd0d530b6ae763ba88356344ff6e46989364 SHA-256: 70d439b693fc58ac1a8ea753207356a4611ab6e961b12af7f0cc8b8d630de405

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1218.005 System Binary Proxy Execution: Mshta

The sample contains a VBA macro that executes a command using WinExec. This macro constructs a command string that appears to use 'certutil' to decode a payload from a URL (implied by the structure and the 'certutil -decode' command) and save it to a file in the %appdata% directory. The macro also attempts to delete intermediate files and execute the decoded payload. The presence of 'certutil' and 'cmd /C' strongly suggests a downloader or dropper functionality.

Heuristics 6

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to certutil (download/decode) high SC_STR_CERTUTIL

Reference to certutil (download/decode)
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `81d2b1011680cf2274a656d2b6e0ba1e2ff14c2047f5b45f082c1937ff25d2ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1418 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.