Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9105005851fbf7a7…

MALICIOUS

Office (OLE) / .DOC

7.32 MB Created: 2020-05-22 00:05:00 Authoring application: Microsoft Office Word
MD5: 6b23cce75ff84aaa6216e90b6ce6a5f3 SHA-1: e6cc0ef23044de9b1f96b67699c55232aea67f7d SHA-256: 9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for OLE_VBA_DOCOPEN and OLE_VBA_PCODE_AUTOEXEC_EXEC indicate that this document contains a malicious VBA macro designed to execute automatically upon opening. The macro is likely responsible for downloading and executing a second-stage payload, as suggested by the 'Doc.Dropper.Agent-8024735-0' detection name. The presence of the Environ() call suggests potential interaction with environment variables, possibly to locate temporary directories or user information for payload staging.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-8024735-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-8024735-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.who
    • http://www.childmortality.org/files_v21/download/IGME%20report%202017%20child%20mortality%20final.pdf
    • http://aidsinfo.unaids/
    • http://www.haiweb.org/medicineprices/
    • https://washdata.org/sites/default/files/documents/reports/2018-01/JMP-2017-report-final.pdf
    • https://washdata.org/sites/default/files/documents/
    • http://www.ncdrisc.org/
    • http://applications.emro
    • http://apps.who
    • http://www.childmortality.org/
    • http://whohbsagdashboard.com/
    • http://whohbsagdashboard.com/#global-strategies
    • https://creativecommons.org/licenses/by-nc-sa/3.0/igo
    • http://apps.who.int/iris
    • http://apps.who.int/bookorders
    • http://www.who.int/about/licensing
    • http://www.who.int/about/what-we-do/gpw-thirteen-consultation/en/
    • http://www.who.int/about/what-we-do/gpw-
    • http://www.who.int/gho/en/
    • http://www.who.int/gho/en
    • http://www.who.int/gho/publications/world_health_statistics/2017/en/
    • https://www.researchgate.net/publication/304576854_Guidelines_for_Accurate_and_Transparent_Health_Estimates_Reporting_The_GATHER_statemen
    • https://www.researchgate.net/publication/304576854_
    • http://www.who.int/neglected_diseases/diseases/en/
    • http://apps.who.int/nha/database/Select/Indicators/en
    • http://apps.who.int/
    • http://www.who.int/gho/publications/world_health_
    • http://www.who.int/reproductivehealth/publications/monitoring/maternal-mortality-2015/en/
    • http://www.who.int/reproductivehealth/publications/
    • http://www.thelancet.com/journals/langlo/article/PIIS2214-109X(17)30325-X/fulltext
    • http://www.thelancet.com/journals/langlo/article/PIIS2214-
    • https://data.unicef.org/wp-content/
    • http://www.un.org/en/development/desa/population/theme/family-planning/cp_model.shtml
    • http://www.un.org/en/
    • https://esa.un.org/unpd/wpp/Download/Standard/Fertility/
    • https://esa.un.org
    • http://www.who.int/healthinfo/global_burden_disease/estimates/en/index3.html
    • http://www.who.int/healthinfo/global_
    • http://www.who.int/gho/hiv/en/
    • http://www.who.int/
    • http://www.unaids.org/sites/default/files/media_asset/Global_AIDS_update_2017_en.pdf
    • http://www.unaids.org/sites/default/files/media_asset/Global_
    • http://www.who.int/malaria/publications/world-malaria-report-2017/en/
    • http://www.who.int/malaria/publications/world-malaria-
    • http://www.who.int/tb/publications/global_report/en/
    • http://www.who.int/tb/publications/global_
    • http://apps.who.int/iris/bitstream/handle/10665/255016/9789241565455-eng.pdf?sequence=1
    • http://apps.who.int/gb/ebwha/pdf_files/WHA66/A66_20-en.pdf?ua=1
    • http://www.who.int/gho/neglected_diseases/en/
    • http://www.who.int/gho/neglected_diseases/
    +71 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8f1f0d378d6f3a4e42b2603da37656dc34e30bc29af7baff29f875a6427b3f53		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 178408 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.