Office (OLE) / .DOC malware analysis — malicious · b621c0e744c03b45

MALICIOUS

Office (OLE) / .DOC

421.0 KB Created: 2023-06-14 12:48:00 Authoring application: Microsoft Office Word First seen: 2023-06-15

MD5: 263c40e75dea5a08037568572430abe6 SHA-1: 985c5be65b55768ffc34a44335c8d33042d44d35 SHA-256: b621c0e744c03b45c0b32f244a6b8b4a84c449ffde4a62e52d8acfdf6fac264a

90 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious Link

The sample contains VBA macros and uses CreateObject, indicating a malicious script is present. The document body uses a fake prize draw lure, consistent with phishing or scam tactics. The VBA macro likely attempts to download and execute a second-stage payload, though the exact mechanism is obfuscated.

Heuristics 5

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b930fd42c58a35a3b1e7d974438a82d37f91b436fc7e08ef6ba6da6d410df9f0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	203706 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.