Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c5912424f920b71…

MALICIOUS

Office (OLE)

217.0 KB Created: 2021-07-15 16:54:00 Authoring application: Microsoft Office Word
MD5: a1bb900ae8003b924f333442c4117a84 SHA-1: 126cd9e2de926ade2cdb20fb8d2a059b7786fde6 SHA-256: 9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro named 'Document_Open' which is automatically executed when the document is opened. This macro utilizes 'CreateObject("Shell.Application")' to execute a command, likely to download and run a secondary payload. The macro attempts to construct a command string from the document's content and its own codename, which is then passed to ShellExecute.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f12e3914b7d6e0a53e9446f3d60a03cf8471f6b8f3b30f922c7664f6567a33a7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1078 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.