Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d747ef417490620d…

MALICIOUS

Office (OLE) / .DOC

59.5 KB Created: 2021-09-17 06:09:00 Authoring application: Microsoft Office Word
MD5: 42cc3283b70db3120b8cd82cb2eb2a27 SHA-1: 72e62af22be5369a84eee71f21c65fb5b670b39b SHA-256: d747ef417490620d91d0f64262469fb8996cce9e0031fcc319fc4a0a39962dce
590 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1055 Process Injection T1059.001 PowerShell

The sample contains a VBA macro that utilizes WScript.Shell and CreateObject to execute commands. The macro references Windows API functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, indicating an attempt to inject code into another process. The ClamAV detection name 'Doc.Malware.Valyria-10023899-0' further supports its malicious nature. The macro is likely designed to download and execute a second-stage payload.

Heuristics 15

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • ClamAV: Doc.Malware.Valyria-10023899-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10023899-0
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • https://bit.ly/3jLzRoh

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
953de883a4cfbd825201ca403317f7b36d17c3135d23d2e660f941c076d11c67		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6236 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.