Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 dc9940e0344075ab…

MALICIOUS

Office (OLE) / .DOC

22.0 KB First seen: 2022-11-06
MD5: f358ef1a710785d1976b99cafe3008dc SHA-1: e6b6e37419babb6ee2e814984aaedd97c612f340 SHA-256: dc9940e0344075ab9499ea007793e9ff8177f89b3b76c79f2186826cbd21a067
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains obfuscated VBA macros that are triggered by the Workbook_Open event. These macros attempt to download a file from the URL 'https://www.mediafire.com/file/g6luj3uyngepzop/4.txt/file' and execute it using Shell.Application. The obfuscation and use of Shell.Application indicate a malicious intent to download and run a second-stage payload.

Heuristics 8

  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mediafire.com/file/g6luj3uyngepzop/4.txt/file

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
07a011b09615e0664ac294efc76ee438ce01a16618e0ba2f1038995151630629		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2474 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.