Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ad215c3ccc2d2401…

MALICIOUS

Office (OLE)

90.0 KB Created: 2009-09-23 20:52:00 Authoring application: Microsoft Macintosh Word
MD5: 9e03f3ea66f438a74eebd7ef23f460f2 SHA-1: 8931f1d560043088f1d7e372a6dc783e8a433f1b SHA-256: ad215c3ccc2d24017f713594a834076f45ce2bd30f68d739e63a4a76b6847b7d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing a large VBA macro, triggered by AutoOpen and Auto_Close functions. The document body discusses the launch of a food-related online network, likely a lure. The embedded VBA macros are the primary mechanism for malicious activity, and the presence of AutoOpen/Auto_Close suggests an attempt to execute code upon opening or closing the document. The URLs extracted are likely part of the lure or potentially used for command and control.

Heuristics 4

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nextnewnetworks.com/
    • http://hungrynation.tv
    • http://www.hungrynation.tv
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8dfd95711449b9ec1142651e34f49df7d7852628481a3a3e01f0b8829769dc39		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.