Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 8a6a69b59371e633…

MALICIOUS

Office (OLE) / .DOC

857.5 KB Created: 2021-10-05 13:50:00 Authoring application: Microsoft Office Word
MD5: 1c252d562b846f8535d87bfab0c7c1f2 SHA-1: 505e94afb37b9541dc194efa15fef3c4bd953d30 SHA-256: 8a6a69b59371e63327ebe4a2cf904b821b07b14c737586248a905adc5cf7de49
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a Document_Open VBA macro that attempts to locate and execute a file named 'zoro.kl'. The macro also attempts to write to registry keys related to VBA security settings, likely to disable warnings or enable macro execution. The script's intent is to download and execute a second-stage payload, but the exact location and nature of this payload could not be fully determined due to script obfuscation and truncation. The presence of an EMF object within an EPRINT stream also suggests potential exploitation or malicious content embedding.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4b4d165f838373d82956ea57a25034d84ac153ba8b2074181d6c5a1be9fa8daf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3750 bytes
ole10native_00.bin
2d00befb3e7c6aa3ff7ad34b4eeef23517e793cfd7f765501619ad77505abeae		 ole-package OLE Ole10Native stream: ObjectPool/_1694918961/Ole10Native 238886 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.