Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b5a46c7bf81678d0…

MALICIOUS

Office (OLE)

153.0 KB Created: 2019-01-16 06:54:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 139be35af940a871b42f1436d75237e7 SHA-1: fc4265e9e20b65f4ab0c1a9724e1ef1bace1e000 SHA-256: b5a46c7bf81678d088ad0cc33e679f60892d0fda774433153480bf975df11242
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The presence of a legacy WordBasic auto-exec macro (autoopen) and a reference to Windows Script Host indicates the document is designed to execute malicious code. The embedded URLs are highly obfuscated and likely point to malicious payloads or command and control infrastructure. The document body's corrupted nature prevents further analysis of its specific lure.

Heuristics 3

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qwV1tmp[ssacp[sm/29c_1\hP6FK9sSE@http://p[stp[shp[s]sSEV1v+]gtV1+acp[sm/vzZMi_cPjZ@http://V1rV1mV1]fp[sp[ssSEacp[sm/w]f#\sy8_Mslz@http://iglp[sp[s-fp[srmV1tip[s]afr/t8lqf9pPP_ywVhz7_wqM.@http://wwwasp11sSEzmar+/XhDjpb_0sihee1v_+\LFk2 In document text (OLE body)
    • http://qwV1tmp[ssacp[sm/29c_1In document text (OLE body)
    • http://p[stp[shp[s]sSEV1v+]gtV1+acp[sm/vzZMi_cPjZ@http://V1rV1mV1]fp[sp[ssSEacp[sm/w]f#In document text (OLE body)
    • http://iglp[sp[s-fp[srmV1tip[s]afr/t8lqf9pPP_ywVhz7_wqM.@http://wwwasp11sSEzmar+/XhDjpb_0sihee1v_+In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)