Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 8fffaf7f1c7ca536…

MALICIOUS

Office (OLE) / .DOC

94.0 KB Created: 2020-03-19 13:21:36 Authoring application: Microsoft Excel
MD5: 4fe2c375cf8fda545a6962774e936c40 SHA-1: b448516a9ea30d1adde2fb8025975eccc36cea6e SHA-256: 8fffaf7f1c7ca53677af38ed7677e8562829f4b810c117304a7607f13c14a296
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic T1204.001 Malicious Link T1105 Ingress Tool Transfer

The sample is an Excel 4.0 macro sheet (XLM) designed to lure the user into enabling macros. Upon enabling, it uses ShellExecute and URLDownloadToFile to download and execute a payload from the URLs http://ernher.com/baro.exe and http://arcoqa.com/apol.exe. The document body explicitly instructs the user to enable content, confirming the lure technique.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ernher.com/baro.exe�
    • http://arcoqa.com/apol.exe~
    • http://arcoqa.com/apol.exe
    • http://ernher.com/baro.exe

Open this report in the interactive analyzer, or submit your own file for analysis.