Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 921138bc2b28d01a…

MALICIOUS

Office (OLE) / .DOC

260.0 KB Created: 2020-05-16 15:58:00 Authoring application: Microsoft Office Word
MD5: 4dbe0aae563c613acf3991cca31b44ac SHA-1: 345fced0c94e93dd69cf46e40ae4e71ee1aba6fc SHA-256: 921138bc2b28d01a51e6673c6e61ba3237592d08875180e0b3749d8e47fdfd6d
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The presence of a critical OLE_VBA_SHELLCODE_CALLBACK_LOADER heuristic, along with a Document_Open macro, strongly suggests that this document is designed to execute shellcode upon opening. The shellcode likely uses VirtualAlloc and callback execution to decode and run a second-stage payload, as indicated by the 'auto-exec + VirtualAlloc + decoder API + callback execution + large blob' detail. The embedded URL, though benign according to the reputation label, is listed as an IOC due to its presence in the document text. The ClamAV detection further supports the malicious nature of the file.

Heuristics 7

  • VBA shellcode callback loader critical OLE_VBA_SHELLCODE_CALLBACK_LOADER
    VBA auto-exec macro allocates executable memory, decodes a large encoded blob into that memory, and invokes it through a callback API such as LineDDA/Enum*/CallWindowProc/CreateThread. This is a native payload loader rather than a document-parser CVE primitive.
  • ClamAV: Doc.Dropper.Shellex-8226825-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Shellex-8226825-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1bfea40b3b7f59e11345477f0b593e23e90bf032555b26401b17ce47d05aaa35		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 11370 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.