Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7f10a343c0318d53…

MALICIOUS

Office (OLE) / .DOC

86.5 KB Created: 2010-07-15 04:57:00 Authoring application: Microsoft Office Word
MD5: 69372bfb1689d563281f16c3a3feddb1 SHA-1: 49bd8315eacb3722c344f4a092cc77d0e645c82c SHA-256: 7f10a343c0318d53f2fc994e29723da929c7530edd59cf7282493726b3459dd8
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, including AutoOpen and AutoClose functions, which are commonly used to execute malicious code upon document interaction. The presence of these macros and the 'SC_NOP_EQUIV_SLED' heuristic suggests the document is designed to download and execute a secondary payload. No specific family could be identified.

Heuristics 5

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e3a6c8063e3724ba4fd2c28420b96f56096d26c870702e76ecbd6d281a0e279a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.