Office (OLE) / .DOC malware analysis — malicious · e98c8375b910df8a

MALICIOUS

Office (OLE) / .DOC

501.5 KB Created: 2001-04-09 09:08:00 Authoring application: Microsoft Office Word

MD5: 800b418713a718b89f93c9ab4c60470e SHA-1: f6798e7d6bac9c37b0525f247e3d6ae1891f7fc6 SHA-256: e98c8375b910df8a6ab75779fc28d8300ad31b4f1cd1c763017a79f2769e68df

408 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that utilize WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document is designed to trick the user into opening a password-protected archive, which is a common delivery mechanism for malware. The presence of 'macros.bas' further supports the macro-based execution. The primary intent appears to be downloading and executing a second-stage payload.

Heuristics 11

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Doc.Dropper.Generic-9784132-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Generic-9784132-0
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fe03dfcb03ed9d8ad45eb8db7f47e469535c97fe12ab84cb9083b35d27dd524d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	47047 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.