Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 dc40e48d2eb0e57c…

MALICIOUS

Office (OLE) / .DOCX

830.5 KB Created: 2020-05-10 00:31:00 Authoring application: Microsoft Office Word
MD5: 7dbd8ecfada1d39a81a58c9468b91039 SHA-1: 0d21e2742204d1f98f6fcabe0544570fd6857dd3 SHA-256: dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1105 Ingress Tool Transfer T1218.011 System Binary Proxy Execution: Rundll32 T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a malicious OLE document containing VBA macros. The macros utilize `CreateObject` and reference `certutil` for downloading and decoding payloads, indicating an Ingress Tool Transfer (T1105) attack pattern. The presence of `winmgmts:Win32_Process` and `Rundll32` suggests further execution of malicious code. The ClamAV detection of 'Doc.Dropper.Sagent-9765455-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Sagent-9765455-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sagent-9765455-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
59c40f8490b9abca7c453578844cfc41a2fd7f3103e93a73ba4db49504b7ecee		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1511 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.