Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7efc5ca3fd089dbd…

MALICIOUS

Office (OLE) / .DOC

93.5 KB Created: 2017-09-11 01:22:00 Authoring application: Microsoft Office Word First seen: 2022-04-24
MD5: 904a2f7dcd1d84aa98eb923a7910d7d8 SHA-1: 1686858996d95ce207b3d0198159ae112448493a SHA-256: 7efc5ca3fd089dbd31209adb85678bab8cf4753530d8e6a9d9cc4d9a0bde2a9c
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing VBA macros. The 'Document_Open' macro is designed to execute upon opening the document. It appears to overwrite existing macros with new code, indicated by the 'APMPKILL' strings and the logic to delete and insert lines. This behavior strongly suggests the macro's purpose is to download and execute a secondary payload from a remote source, a common technique for initial infection.

Heuristics 4

  • ClamAV: Doc.Macro.APMPKILL-6097118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.APMPKILL-6097118-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
db4be8f51b6085e87c8c0ee754347f8d71fd6fe6633a7af8df142ba75f411d20		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1107 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.