Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c6bf9d0300b6989a…

MALICIOUS

Office (OLE) / .DOC

431.0 KB Created: 2021-08-30 13:16:00 Authoring application: Microsoft Office Word
MD5: 3e01a8a619516bd010173ffe7d029008 SHA-1: 862c2ad050d653f0c6faa9e26979fbb80312143e SHA-256: c6bf9d0300b6989a4f5faf48aaf85cdd7aed278f70d8d291813070614bf45e41
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious DOC file containing a Document_Open VBA macro. This macro attempts to download and save a secondary payload to the user's template directory. The macro constructs the path for the saved file by concatenating strings, resulting in the path 'glib.docx'. The macro also attempts to modify the VBA warnings registry key to disable them, likely to prevent user prompts about macro execution. The specific payload and its ultimate purpose could not be determined due to macro obfuscation and truncation.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9f487c36b82e274d38967e56a8d06fd191f49441ba17aa6311c462af13709465		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2955 bytes
ole10native_00.bin
8a693df914d6ee4c5d112146540c1341c281a4de7388eca63d260251a81f558c		 ole-package OLE Ole10Native stream: ObjectPool/_1691808959/Ole10Native 256303 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.