Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ac6db1197afc83eb…

MALICIOUS

Office (OLE) / .DOC

974.0 KB
MD5: de781f6a9eaade63a87c48005db99062 SHA-1: 3100c00c0d037c432d51c53999503ab7c63a6138 SHA-256: ac6db1197afc83ebefece261845a78bff78fd959fb0a933eef8528e1ec5a3d59
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1059.001 PowerShell

The sample contains VBA macros, including an AutoOpen macro, which is a common delivery mechanism for malicious documents. Heuristics indicate the use of CreateProcess and Windows Script Host, suggesting the execution of external code. The document body explicitly instructs the user to copy and paste content into a command-line context, a social engineering tactic to bypass security measures. The embedded URL http://rekenjura.com/QW8.exe is likely the payload download location.

Heuristics 8

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rekenjura.com/QW8.exe
    • https://www.marketwatch.com/investing

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
888a06c9179b2d98e9253a7015d9ea4ff7f49d8afcd7a3f9244804f2dee3ca1a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 603345 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.