Malicious Office (OLE) / .DOT — malware analysis report

Static analysis result for SHA-256 9cf8450039bb9925…

MALICIOUS

Office (OLE) / .DOT

1.87 MB Created: 2005-06-09 07:08:00 Authoring application: Microsoft Office Word
MD5: 279b99590acc51f7747206a604d7c7a0 SHA-1: c72910f73a743557bdc1985e3afb0eb60a7771f4 SHA-256: 9cf8450039bb992502cca4610f44a5467060003c164a44c3c9683e8d347793d5
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file is a DOT template containing a large VBA macro. Heuristics indicate the presence of Shell() and CreateObject() calls, along with VBA string obfuscation, suggesting the macro is designed to execute arbitrary commands. The 'macros.bas' file is identified as a suspicious extracted artifact. While the document body is in German and appears to be a warning about modifying the template, the underlying macro behavior points to malicious intent.

Heuristics 7

  • ADODB.RecordSet — CVE-2015-0097 high CVE likely CVE_2015_0097
    ADODB.RecordSet — CVE-2015-0097
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://support.microsoft.com/default.aspx?scid=kb;en-us;827742nitt�
    • http://support.microsoft.com/kb/817112/
    • http://office.microsoft.com/en-us/assistance/HA011403201033.aspx

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
27702041e6b7f240b56a00d83d687827b9b3e9fd9435c6d93ddbc95c4305d4cc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 392994 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.