Office (OLE) / .DOC static analysis report

Static analysis result for SHA-256 823dac064d86ea83…

SUSPICIOUS

Office (OLE) / .DOC

147.5 KB Created: 2024-02-28 18:30:00 Authoring application: Microsoft Office Word
MD5: 2a181857debdfcc6a4dd82b30d10adfb SHA-1: 0377b995921674ef694fe3f950c0c593454009f3 SHA-256: 823dac064d86ea839981daf8c922fdc52cdb29cde355759ed9d7c0bcc0e38848
40 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Word document containing VBA macros. The `CreateObject` and `GetObject` heuristics indicate potentially malicious macro activity. The `macros.bas` script, when executed, prompts the user to save the document and then calls `SubirArchivo`, which likely attempts to upload a file. This suggests a downloader or data exfiltration attempt.

Heuristics 5

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/longProperties
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/sharepoint/v3
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
  • Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED
    The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f80ad697b939c93e1bafade9333001123b117c7ecb6803642083bcc1505d309a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6934 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.