Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 8b0b33091469c17d…

MALICIOUS

Office (OLE) / .DOC

850.5 KB Created: 2021-10-07 09:24:00 Authoring application: Microsoft Office Word First seen: 2021-10-14
MD5: 6f2f9df7a84a72ccd6003a0ec20f8cc4 SHA-1: 28182365778ec737e6d0d4008ada318621db41e8 SHA-256: 8b0b33091469c17d7750b198941bc184ec40c8e3cb470b5733f43e96a17113f7
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious OLE document containing VBA macros. The Document_Open macro is triggered upon opening the document, which then attempts to create a persistence mechanism by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. It also attempts to open another document using the password 'doyouknowthatthegodsofdeathonlyeatapples?'. The exact payload or further actions are not fully discernible due to script truncation, but the intent is clearly malicious.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e36f32bea62b6f4a176499b61986825adee6aa3817d4759753bc3639958ddc72		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3579 bytes
ole10native_00.bin
6aebc83c9076d5b03332190cbbdb7943aa0fc7b3c640d07cbc4fe0507ac36d3b		 ole-package OLE Ole10Native stream: ObjectPool/_1695078690/Ole10Native 248611 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.