Office (OLE) / .DOC malware analysis — malicious · bc95d72a4baf28db

MALICIOUS

Office (OLE) / .DOC

39.0 KB Created: 2020-09-26 06:20:00 Authoring application: Microsoft Office Word

MD5: 7f867885753ab40d72b2901da2a257fa SHA-1: acc561eca4f699f4522bc01ce5536dd9a0e56108 SHA-256: bc95d72a4baf28db6980859c4065834054c3a28b1791fdf4b8d448aa0ff82e7d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros, specifically an AutoOpen macro that uses GetObject to execute code. The document body suggests a lure related to financial technology registration. The embedded URL http://18.139.33.17/fintechsct$ is likely used to download a second-stage payload. The AutoOpen macro and GetObject call indicate an attempt to automatically execute malicious code upon opening the document.

Heuristics 5

AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://18.139.33.17/fintechsct$
- http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6292578857ea777f1305d5fa903971f81c786855a086e57fef3a7e5a54ac7a0a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1438 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.