Office (OLE) / .DOC malware analysis — malicious · f3f0d0112ffa52d8

MALICIOUS

Office (OLE) / .DOC

172.0 KB Created: 2021-01-25 09:28:00 Authoring application: Microsoft Office Word

MD5: a4034f791ed5368d79bea232cc4ed098 SHA-1: fe115002ee5aa2727e4492796eb868a1057d0f76 SHA-256: f3f0d0112ffa52d81073dcdbb182e32c2e28a58fa156ab70522287b1f1eafe2b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file contains a malicious VBA macro, specifically a Document_Open macro that uses GetObject to execute code. This indicates the document is designed to run arbitrary code upon opening. The ClamAV detection further confirms its malicious nature. The embedded URL is benign and likely a red herring.

Heuristics 6

ClamAV: Doc.Malware.Valyria-10034158-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10034158-0
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f3c1208957a8588b8a5352b63af9a94a87401fa2b1f98d6dafce63f68312781e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8529 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.