Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d05d0d93538c0d48…

MALICIOUS

Office (OLE) / .DOC

340.5 KB Created: 2009-07-30 02:25:00 Authoring application: Microsoft Office Word
MD5: d89cf95f661ceaf3f3c00c48f02f174a SHA-1: 133c5ed9d40592edd4253b476706ec9b3fe6afa5 SHA-256: d05d0d93538c0d48b2dcc923196ff0410a86f5198228e94a14dd9d0696224c77
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1218 System Binary Proxy Execution

The document contains explicit instructions to use the clipboard to execute commands via the command line or PowerShell, as indicated by the 'SE_CLIPBOARD_COMMAND_LURE' and 'SE_LOLBIN_RUN_COMMAND' heuristics. The embedded PHP code, identified as r57shell, is a known web shell often used to provide remote administration capabilities. The URLs associated with 'rst.void.ru' and 'ghc.ru' are likely command-and-control or payload hosting locations. The presence of a web shell suggests the attacker's intent is to gain remote access and execute further commands.

Heuristics 3

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rst.void.ru
    • http://rst.void.ru/r57shell_version/version.php?img=1&version=
    • http://rst.void.ru/r57shell_version/version.php?version=
    • http://rst.void.ru/*
    • http://ghc.ru/*

Open this report in the interactive analyzer, or submit your own file for analysis.