Office (OLE) / .DOC malware analysis — malicious · d133fa1bff40e542

MALICIOUS

Office (OLE) / .DOC

652.5 KB Created: 2020-01-13 11:14:00 Authoring application: Microsoft Office Word

MD5: 192c2c3e181ebf72e38705c2f6fab790 SHA-1: 7bfca7ebe53b97b4336dedb24c611a2492cea6a3 SHA-256: d133fa1bff40e542a6a7bc289e25a0530f17a251911221edbd7841810369f96a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical ClamAV heuristic firing indicates this document is a dropper, specifically 'Doc.Dropper.Agent-7538491-0'. The presence of VBA macros, along with high-severity heuristics for CreateObject and CallByName, strongly suggests that the macros are responsible for downloading and executing a secondary payload. The embedded URL, though marked as benign, is likely a decoy or a misconfiguration, as the primary indicator is the ClamAV detection of a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-7538491-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7538491-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b92c9718c3843ca0efc9aa706ab9489953477b573e8985ed22aac48a919d8cea`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8595 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.