Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 768bb7fab4eaa346…

MALICIOUS

Office (OLE) / .DOC

1.09 MB Created: 2020-10-08 09:19:00 Authoring application: Microsoft Office Word
MD5: b3cad756a9a51024e5336d6882f76988 SHA-1: af9c4522be8181b94a19d424c79a67d42437dd35 SHA-256: 768bb7fab4eaa3467076c215b892575ed7b1b6336d97c6a1b536385c7831bce4
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro code within the document attempts to create a directory named 'C:\Battle' and then writes a VBScript file named 'Themes.vbs' into it. The script is then executed using 'explorer.exe'. This indicates a dropper or downloader functionality, aiming to execute a second-stage payload. The presence of WScript and certutil heuristics further supports the malicious intent of downloading and executing additional content.

Heuristics 6

  • ClamAV: Doc.Dropper.Sdrop-9776313-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sdrop-9776313-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://helmut0.dll
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://example.com/download.exe
    • http://download.cdn.mozilla.net/pub/thunderbird/releases/38.6.0/win32/en-US/Thunderbird%20Setup%2038.6.0.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
63e73aad5883080cb5ed19aa44295dfdd6733d430cbbe20f8752cfb4e7d23493		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1307 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.