Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9611a1b2c7a8b943…

MALICIOUS

Office (OLE) / .DOC

35.5 KB Created: 2021-02-06 23:32:00 Authoring application: Microsoft Office Word
MD5: 620929bac58d05ecf13adba9f62fa55d SHA-1: 4c61db0624962fd0aa826687a0787467f4cfbc15 SHA-256: 9611a1b2c7a8b943806eaff494300920e8addcf83bb8d837aee4f17a85c6f2d0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious OLE document containing VBA macros, including AutoOpen and Document_Open, which are designed to execute automatically. The presence of VirtualAlloc API calls suggests the macro likely allocates memory for and executes shellcode. The specific payload and its ultimate goal could not be determined due to the lack of further script details or network indicators.

Heuristics 5

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e3ef953a21def7515f510815f77d6f8a140fb0a73b741afd7cf2a646706998be		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14122 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.