Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 7741f93bcb75d971…

MALICIOUS

Office (OLE) / .DOCX

586.5 KB Created: 2022-02-07 08:38:00 Authoring application: Microsoft Office Word
MD5: a275c1a10b346f2af1a8616531522b85 SHA-1: b090eed745ecae18856a81867c7b898a86218bcc SHA-256: 7741f93bcb75d971a699c57c352c1a0803c0eb4eea658b2fd54c7d97999bed55
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes upon opening the document. This macro, specifically the Document_Open subroutine, attempts to create a directory if it doesn't exist and then opens another document. The script reconstructs the URL 'http://kukumar1s.r/u/' and uses it in conjunction with other string concatenations to construct the final document path. The password '44' is also hardcoded. The primary intent appears to be luring the user into opening a password-protected file, likely for malicious purposes.

Heuristics 3

  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6b5c1ee22f7e3179b00a2f7fc16299b597afa3cf93f9808506dec474f2d0e7aa		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.