Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 dcf86cd8c74b124a…

MALICIOUS

Office (OLE) / .DOCX

539.5 KB Created: 2021-08-03 10:29:00 Authoring application: Microsoft Office Word
MD5: aa1f5d627b6cfb20931df3e28076863b SHA-1: 2573a06ce8014caeab2dcf8eb538ceb18a3c3bd7 SHA-256: dcf86cd8c74b124a830d18865defb1aed8b8874861db625d1e8b10d57a19fcce
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The Document_Open macro is designed to copy itself to the user's template directory as 'qq.doc'. It then attempts to open this saved document, likely to execute further malicious code or establish persistence. The macro also contains logic to search for files, potentially to exfiltrate data or locate other malicious components. The presence of the Document_Open macro and its self-copying behavior strongly suggests a malicious intent to compromise the user's system.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c9dd69f59b02fb72a7f9c5f33a81fb63cfcc988dca467df03a1261ca6f1317f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2673 bytes
ole10native_00.bin
8e716354a241893cf79ad19e9a350f37a17b739321766222fb39a459fb87e4bc		 ole-package OLE Ole10Native stream: ObjectPool/_1689466344/Ole10Native 368925 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.