Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 8

• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• Document_Open macro high OLE_VBA_DOCOPEN
  Document_Open macro
• GetObject call high OLE_VBA_GETOBJ
  GetObject call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://factory.akl.today/6uSMMukJ.php

  • https://Spidsolutions.com/vendor/aferrandini/phpqrcode/cache/BWoo3hBwVEB.php
  • http://utv1.enliden.net/wp-includes/sodium_compat/namespaced/Core/ChaCha20/yqxc0YtjhvHQ.php
  • https://hotelbooking.muhashin.com/wp-content/plugins/goodlayers-importer/images/NRC3HGfmpAeXt.php
  • http://narayan.website-demos.net/uYLP5cJ2C.php
  • https://iltuoteamadvertising.it/wp-content/uploads/2020/02/IE0gQoxjCDElkKq.php
  • http://lebfinder.fr/FdCtcVXXoRl5.php
  • https://www.keeptalking.gr/en/wp-content/plugins/page-builder/class/SvlYLuLTgj.php
  • https://deserta.ae/wp-content/plugins/sg-cachepress/core/Activator/tMMu7nGCya36k.php
  • https://alegsanatate.ro/QQv2qead.php
  • http://acceso.duward.es/class/dat/pdfClass/font/makefont/wyT7jLM2xYghVB.php
  • https://plus.inovento.com/assets_old/plugins/fancybox/demo/NeueuKvQJfN.php
  • https://atpcsm.be/wp-content/themes/itheme2/uploads/bg/7dcOpKBYf8Loh0.php
  • http://sevenseasinternational.in/wp-includes/js/tinymce/themes/inlite/wYhuZMU1c.php
  • http://patsisgroup.gr/wp-content/plugins/wordpress-seo/js/dist/HXz3vq4fWCLOa.php
  • https://gmtrip.resultaweb.com.br/documentacao/clientes/rafaelagenciaturismo/contrato/emissao/dOkAwT1T.php
  • http://assets.helloguide.com/images/galleries/outdoor-activities/canyoning/xHVHYMlBDzi.php
  • https://makeupme.co.za/maktest2/wp-content/uploads/2019/07/oaSWIpgC2.php
  • https://karakas.com.gr/edHep7KkeO7.php
  • https://timeon.in/wp-includes/js/tinymce/plugins/charmap/W3wvvkEd.php
  • https://uniqaforforeigners.cz/wp-content/plugins/wordpress-seo/js/dist/8K3NWRnlIqyQrm.php
  • http://api.test.mastertube.com/css/font/ZIiBP6mw8JZ5S3V.php
  • https://marshallsremodelingco.com/wp-content/plugins/elementor/data/base/aHePs90P.php
  • https://das-ohr-am-frankfurter-tor.de/wp-content/uploads/2020/01/jvfLNAcQkdUD5E.php
  • https://goodsmaroc.achusweb.com/wp-content/themes/Divi/includes/builder/p2JDjZkSG62.php
  • https://mijn3.easyofficeonline.nl/bundles/sensiodistribution/webconfigurator/css/oXQ6O5r9ChR.php
  • https://abrimmo49.fr/wfKFjffFrV.php
  • https://cdn.examdunia.com/site/js/jquery.fileupload/vendor/EDezZkK0.php
  • http://schemas.openxmlformats.org/drawingml/2006/main
  • http://www.w3.org/1999/XSL/Transform

Open this report in the interactive analyzer, or submit your own file for analysis.