Office (OLE) / .DOC malware analysis — malicious · 860a5e83c509ec66

MALICIOUS

Office (OLE) / .DOC

586.0 KB Created: 2018-04-27 20:16:00 Authoring application: Microsoft Office Word

MD5: 08cd3c6596b092dd6373b4330bcb6b3a SHA-1: c7655412ee6568c8a8e2f643ba0f8ac28497f59d SHA-256: 860a5e83c509ec6615a722cd62ba47a506f115743eeb03cc94b3d2b03cc0ecc0

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file is a Microsoft Word document containing VBA macros. Heuristics indicate the presence of Windows Script Host references and CreateObject calls, suggesting the macros are designed to execute code. The ClamAV detection name 'Doc.Dropper.Agent-6602728-0' further supports that this is a dropper. The macros likely download and execute a second-stage payload, although the specific URL or payload could not be determined from the provided evidence.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6602728-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6602728-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b960948ab8ee0096089121e28a284bc75d00ffe9338c680250c3677e047f2386`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5149 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.