Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e0c0ce95ec579e96…

MALICIOUS

Office (OLE) / .DOC

521.5 KB Created: 2021-09-08 12:01:00
MD5: ea4d23f3054d3619f2e4e8fdf052263e SHA-1: 1ea5eb06607dda02a6b3cfb9476cb101ff823e49 SHA-256: e0c0ce95ec579e96e6ccfa47414cc7988aaea330bf55cb238c951405ca2006f1
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample contains a VBA macro that executes upon opening the document. This macro attempts to disable security warnings and then opens a password-protected document named 'reform.doc' with the password '2281337'. The macro also attempts to write to several registry keys related to Office security settings, likely to facilitate further malicious activity. The presence of the Document_Open macro and the attempt to bypass security measures indicate a malicious intent to deliver a payload or perform further actions.

Heuristics 5

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption
    • http://schemas.microsoft.com/office/2006/keyEncryptor/password
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificate
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0a06014613143cbe2a99a6668797fa75d777745e4cb0cc3d3e516c00f52b7709		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2886 bytes
ole10native_00.bin
c14c2950f2bf2b0b9f45bae327f4a499e0e0703355490ddb15278dfc2f446340		 ole-package OLE Ole10Native stream: ObjectPool/_1692582292/Ole10Native 340801 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.