Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 786f5cf445a55c83…

MALICIOUS

Office (OLE) / .DOCX

38.5 KB Created: 2021-07-06 04:33:00 Authoring application: Microsoft Office Word
MD5: 4f13f4f5acbc860707fb4bc0a29e64dd SHA-1: ad17b37b7d7b8017a8460c8b0c6e3677fb1784b4 SHA-256: 786f5cf445a55c8335e46f40d6868b78b36744bf16107351e8a298fbc14c0d59
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious Office document containing VBA macros. The macros utilize CreateObject and CallByName functions, indicative of malicious intent. Specifically, the script attempts to reconstruct the string "MSXML2.ServerXMLHTTP" to create an object for making HTTP requests. It then sends data to the URL "https://fusuri-solt-down.com/ecm/ibm/1629207632/feedback", suggesting it's a downloader for a second-stage payload. The ClamAV detection also confirms its malicious nature as a downloader.

Heuristics 6

  • ClamAV: Doc.Downloader.Valyria-10033997-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033997-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fusuri-solt-down.com/ecm/ibm/1629207632/feedback
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eece5c8b7fd4440887598978d4db76dc0d38fbf0fd4fbe6e5bbb2f3e165d4818		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3134 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.