Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e90c7a1195e39921…

MALICIOUS

Office (OLE) / .DOC

87.0 KB Created: 2003-05-05 07:43:00 Authoring application: Microsoft Word 9.0
MD5: 07c93303bca5aa723664fa55f2b0dd3c SHA-1: ddfcbc8a260f74ed591d6ea9500ad1e87ef2a4a6 SHA-256: e90c7a1195e399211acd2e21810d7221f370e1ddc985f205523e15c6b94d6aad
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment T1059.001 PowerShell

The sample is a Microsoft Word document containing VBA macros, specifically an AutoOpen macro that executes code using CreateObject. This indicates the document is designed to run malicious code upon opening. The presence of an AutoOpen macro and the execution of code via CreateObject strongly suggest a macro-based malware delivery mechanism. The document body, presented as a supply agreement, serves as a lure to trick the user into enabling macros.

Heuristics 3

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
dcf6be3e83d630b626144658d4974470554759ef29cccf4c75b87083e24375fc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.