Office (OLE) / .DOC malware analysis — malicious · f15abed2f3d9de2b

MALICIOUS

Office (OLE) / .DOC

23.0 KB Created: 2009-07-15 12:34:00 Authoring application: Microsoft Word 10.0

MD5: 224c3b1392641aaa08095ad22d5a102c SHA-1: 119bc3ce6382728a704952a1df1202e386088b96 SHA-256: f15abed2f3d9de2b8ac673a5bf10f87f536f212ea27ab66ae5841eb835b70d30

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA code that attempts to copy itself to multiple system locations and register itself for execution via the registry Run key. Specifically, it copies itself to C:\MSKernel32.vbs, C:\Win32DLL.vbs, and C:\LOVE-LETTER-FOR-YOU.TXT.vbs, and attempts to create a Run key at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 pointing to C:\MSKernel32.vbs. The heuristic firings indicate references to Windows Script Host and a lure to execute commands via the clipboard, supporting the observed behavior.

Heuristics 3

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.mirc.com

Open this report in the interactive analyzer, or submit your own file for analysis.