Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 80afc26602077801…

MALICIOUS

Office (OLE) / .DOC

200.5 KB Created: 2020-12-09 12:05:00 Authoring application: Microsoft Office Word
MD5: 10b9061e7d085d6e19185660e0d7730c SHA-1: 349e845dbe1ec4d4d797e729afb92fbe07794ac6 SHA-256: 80afc266020778010f8b25e296c72d443dcc5865667177a1ddfebe6f754aea7c
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that utilizes GetObject and Environ calls, indicative of malicious intent. The macro likely attempts to download and execute a second-stage payload from one of the embedded URLs. The presence of multiple unknown reputation URLs suggests a downloader or droppper functionality.

Heuristics 7

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lnx.bernardolegnami.it/wp/wp-content/uploads/grid-gallery/cache/D0N6TwJYr.php
    • http://zisokamberaj.com/wp-content/plugins/updraftplus/vendor/aws/4da9qRYF96.php
    • https://makeupme.co.za/maktest2/wp-content/uploads/2019/07/Z49FuLpX.php
    • https://atpcsm.be/wp-content/themes/itheme2/uploads/bg/x4VjHcdiNB.php
    • http://assets.helloguide.com/images/galleries/outdoor-activities/canyoning/Tb6n29aarbZVW9.php
    • http://avinotab.com.au/old_files/generated/code/Magento/Backend/KDf27PhrR.php
    • https://nexi-verifica-info.spadmelk.com/gn78sN36HuSxG.php
    • https://cdn.examdunia.com/site/js/jquery.fileupload/vendor/4L35hbtOn.php
    • http://thefootwearhub.in/wp-content/themes/bc-shop/woocommerce/cart/47sjnJ339dm8Ox6.php
    • https://beta.co.tz/nzdoQb5t7X4.php
    • https://pinkafricafoundation.org/wp/wp-includes/sodium_compat/namespaced/Core/kOTplLLYoykYUO.php
    • http://dukan24-7.pk/wp-content/plugins/header-footer-elementor/inc/compatibility/W6w90RBW0Dx.php
    • http://www.housecleaningacblondon.com/wp-content/plugins/wp-file-manager/inc/images/RexD5jVC8Amd.php
    • https://mail.lotus-h.id/yyokW9BVY5hP.php
    • https://adammusic.vn/wp-content/plugins/eventON/lang/languages/eKZDGsy97Jp9VK.php
    • http://lebfinder.fr/jALahyBK.php
    • https://abrimmo49.fr/MmRHns7VCkj6Q.php
    • http://mail.rsfileencryption.com/wp-content/uploads/2017/01/dPdBXbR0Lqqerts.php
    • https://lataperiautrera.com/6ddzbE5G.php
    • https://theme.digiwebsolusindo.com/webbisnis/wp-content/plugins/envato-market/css/XHa29kWGCb.php
    • http://slnewsflash.com/soojaya.lk/wp-content/plugins/wp-file-manager/classes/UNGKTIg9eI6Qm.php
    • http://conciergeandco.co.uk/new/wp-content/uploads/2019/09/FfMJGM0xF.php
    • http://frijolesmagicos.com/wp-content/plugins/buddypress/bp-messages/actions/TBzYBNEbdY.php
    • https://majuwaagencies.sysnavtechnologies.mobi.ke/USodLM3p.php
    • http://fundacionzaranda.co/wp-includes/js/tinymce/themes/inlite/RaY6NGEvaBP0C.php
    • http://stock.laboratoriostabbler.com/1GTEoDCvKgaim.php
    • http://acceso.duward.es/class/dat/pdfClass/font/makefont/lZhTcuFaHNgOGF.php
    • http://www.arch-arts.com/wp-includes/js/tinymce/skins/lightgray/3Bb2Oi14dK.php
    • http://saraceninvestments.co.uk/wp-content/plugins/wp-retina-2x/vendor/bin/Y2aqQDIDFm81vq.php
    • http://lokmartindia.com/wp-content/themes/business-store/template-parts/header/c8wIHrNGcNSPTG.php
    • http://www.pmvillaluz.com/wp-content/themes/portfolio-web/acmethemes/at-theme-info/LOLQJGxsh.php
    • https://alegsanatate.ro/Hs63TA2BBq7.php
    • https://mijn3.easyofficeonline.nl/bundles/sensiodistribution/webconfigurator/css/1Dfa5M7uGum.php
    • http://pakistandairyfarm.com/ajax.googleapis.com/ajax/libs/jquery/1.11.1/cKQwnaER.php
    • https://camaracomercioexterior.info/wp-content/plugins/redirection/database/schema/fKxEE7hM3dh.php
    • https://farmlyfairng.com/cJsrzmqM0Joawf.php
    • https://plus.inovento.com/assets_old/plugins/fancybox/demo/ubp05Edi5.php
    • https://stump.rgstage.com/wp-content/plugins/woocommerce-services/classes/wc-api-dev/GEiCfOf8mOO8.php
    • http://amargroup.co.in/H3uMNBhqvl62y.php
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://www.w3.org/1999/XSL/Transform
    • http://soundhire.atwebpages.com/wordpress/wp-content/plugins/wordpress-importer/languages/fXt7XKyhDji.php

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
789d7b946823087c03614a0c7aab55d6749808dee887b9b9462d9f3d2c401678		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 23685 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.