Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b0732ea6c168c283…

MALICIOUS

Office (OLE) / .DOC

438.0 KB Created: 2002-05-13 09:18:00 Authoring application: Microsoft Word 8.0
MD5: fe48d015883d8f1e32e9dabc5bf4bc4a SHA-1: 961862bf43c82a1e5b0d3c7209000173f97050ab SHA-256: b0732ea6c168c283157ef5ee3713ab64b18937323d38509e977bea7fb3ea54c1
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a Microsoft Word document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates that the macros attempt to execute commands via the Shell() function. The 'EXTRACTED_FILE_STATIC_TRIAGE' heuristic flags 'macros.bas' as a suspicious extracted artifact with VBA auto-execution terms. The document body discusses depression in women, likely a lure to encourage macro execution. The VBA macros are suspected to download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Trojan.Marker-1' on an extracted artifact.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mayohealth.org/mayo/9409/htm/ww5r244.htm
    • http://isd.saginaw.k12.mi.us/~mobility/hypothal.htm
    • http://www.mayohealth.org/mayo/9511/htm/melato.htm
    • http://isd.saginaw.k12.mi.us/~mobility/pineal.htm
    • http://dragon.gatewy.net/~tamarad/clindep/content.html
    • http://yellowribbon.org/check.html
    • http://www.psyweb.com/Drughtm/antidpdn.html
    • http://nucleus.cshl.org/humchr18web/chr18links.htm
    • http://www.lycaeum.org/drugs/plants/maoi/maoi.html
    • http://www.reboxetine.com/
    • http://www.webster.monroe.edu/waltman/hypothalamus.html
    • http://www.fairlite.com/ocd/articles/tricyclic.shtml
    • http://www.healthguide.com/pharmacy/effexor.htm
    • http://www5.kidsource.com/forums?14@^927@.ee6b2c7
    • http://www2.kidsource.com/images/spacer.gif
    • http://www.kidsource.com/kidsource/content2/strengthen_children_self.html
    • http://www.cyberparent.com/talk/listen.htm
    • http://www.solosingles.com/heartexpressprofiles/data.asp
    • http://www.solosingles.com/connections/
    • http://www.solosingles.com/heartexpressprofiles/search.asp
    • http://www.cyberparent.com/abuse/
    • http://www.cyberparent.com/bdaybook/
    • http://www.cyberparent.com/books/
    • http://www.cyberparent.com/boys/
    • http://www.cyberparent.com/bfeed2/
    • http://www.cyberparent.com/talk/
    • http://www.cyberparent.com/spoiled/
    • http://www.solosingles.com/ssdivorce/
    • http://www.cyberparent.com/luv/
    • http://www.cyberparent.com/eat/
    • http://www.cyberparent.com/esteem/
    • http://www.cyberparent.com/family/
    • http://www.cyberparent.com/fitness/
    • http://www.cyberparent.com/friendship/
    • http://www.cyberparent.com/gender/
    • http://www.cyberparent.com/girls/
    • http://www.cyberparent.com/gran/
    • http://www.cyberparent.com/cyhome/
    • http://www.cyberparent.com/kidsdo/
    • http://www.cyberparent.com/love/
    • http://www.cyberparent.com/men/
    • http://www.cyberparent.com/nutrition/
    • http://www.cyberparent.com/parent.htm
    • http://www.cyberparent.com/shop/
    • http://www.solosingles.com/ssparent/
    • http://www.cyberparent.com/sports/
    • http://www.cyberparent.com/step/
    • http://www.cyberparent.com/stress/
    • http://www.cyberparent.com/teen/
    • http://www.cyberparent.com/travel/
    +61 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
98e2a63b7027e9791f06c94e7b6e2f44775758be7f12c131bd2d42a255421f3b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7791 bytes
Detection
ClamAV: Doc.Trojan.Marker-1
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.