Office (OLE) / .DOC malware analysis — malicious · 7c4daba1a3902f0a

MALICIOUS

Office (OLE) / .DOC

1.62 MB Created: 2021-12-07 15:54:00 Authoring application: Microsoft Office Word

MD5: 90af683d526be851705711084f29c85b SHA-1: 89229a6f4548478dd81ff9fc11b83c1bf76c4ac3 SHA-256: 7c4daba1a3902f0a7c09db447b20edd4eabc18ac4c56ef1483e257e86ad88719

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros, specifically an AutoOpen macro, which is a common delivery mechanism. The VBA code attempts to load and OCR a TIFF file, and also calls functions that appear to be related to file operations and potentially downloading or executing further stages, indicated by the suspicious paths like 'c:\.intel\.rem\1.png' and 'c:\.intel\.rem\2.png' being used as library paths. The presence of the AutoOpen macro and the suspicious file paths strongly suggest the execution of a secondary payload.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,700,566 bytes but its declared streams total only 954,461 bytes — 746,105 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1fd7fa69c607e24b79609c4f6a4dd23b0f8fbc88351b0a7cd69da8eb77a341d2`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51767 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.