Office (OLE) / .DOC malware analysis — malicious · cc850d9ecc010f1a

MALICIOUS

Office (OLE) / .DOC

69.5 KB Created: 2021-05-19 06:17:00 Authoring application: Microsoft Office Word

MD5: cc10c8cbf26d662a15be8d6e144464cc SHA-1: 5dd70db1b61a0574bec44902115301bdbc4f96c4 SHA-256: cc850d9ecc010f1a9876a54c256fa410b7b4ab20a324a6d34561c8fac6d034aa

362 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32 T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is a malicious OLE document containing a VBA macro. The macro is triggered by the Document_Open event, displaying a fake success message to the user. It then proceeds to execute suspicious commands, including references to WinExec and certutil, indicating an attempt to download and execute a second-stage payload. The presence of a 'Clipboard command execution lure' heuristic suggests the macro may also instruct the user to interact with the clipboard for execution, further increasing the maliciousness.

Heuristics 10

LOLBin reference in VBA critical OLE_VBA_LOLBIN

LOLBin reference in VBA
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to certutil (download/decode) high SC_STR_CERTUTIL

Reference to certutil (download/decode)
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `77dc0f063b3f3193c92f27256982cbe213851756df44b4a819fc4b8f9bf94a18`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5869 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.