Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f7999d5f822e2e88…

MALICIOUS

Office (OLE) / .DOC

280.0 KB Created: 2006-05-18 23:15:00 Authoring application: Microsoft Word 10.1
MD5: e51ef62876b8d50ccd2669a5e469d50a SHA-1: ce00ddddabfa18bc6e8df36f9a6be051669e63c3 SHA-256: f7999d5f822e2e8833f5e9e4b5f982232edf7ecf6989e8fc73ed0af45b9b9161
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

This Office document contains VBA macros, including a critical `Shell()` call, indicating it is designed to execute arbitrary commands. The presence of `macros.bas` and the `OLE_EQUATION_EDITOR` heuristic further suggest malicious intent. The primary function appears to be downloading and executing a second-stage payload, as indicated by the `OLE_VBA_SHELL` firing. The document body itself is benign scientific text, suggesting the malicious content is hidden within the macros.

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gcmrc.gov/library/reports/physical/Fine_Sed/Grams2006.pdf
    • http://www.gcmrc.gov/library/reports/physical/Fine_Sed/Randle1987.pdf
    • http://www.gcmrc.gov/library/reports/physical/Fine_Sed/Schmidt2004.pdf
    • http://www.gcmrc.gov/library/reports/physical/Fine_Sed/Topping1997V1.pdf
    • http://www.gcmrc.gov/library/reports/physical/Fine_Sed/Topping1997V2.pdf
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
48d5e9abf98b85f9359965cbc0bf6f8a53f2e80561e95df95a42a07a19694d20		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5662 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
17ed23349d5c37c0c7fdefb6b52d35fdb438c747a0003dd803bb07f61e164b20		 ole-package OLE Ole10Native stream: ObjectPool/_1081429362/Ole10Native 102 bytes
ole10native_01.bin
2278fda87fc80af64c6b41911ef093ecff3804c75c430d19b0527105b5d0e027		 ole-package OLE Ole10Native stream: ObjectPool/_1081429672/Ole10Native 88 bytes
ole10native_02.bin
03209354887a17a4ef69428ee86fba4cc0491792a340bfb604b73bc35cf31f91		 ole-package OLE Ole10Native stream: ObjectPool/_1081429776/Ole10Native 66 bytes
ole10native_03.bin
1d4cedee0209e912ee581be7e70e7939daf1cf4ba84d9effe6185a3ccbe7bd65		 ole-package OLE Ole10Native stream: ObjectPool/_1081430297/Ole10Native 102 bytes
ole10native_04.bin
f6f59054bb52c37a15f5f3996586877a1a902de0ff075566fc0f64a1f8c98cb3		 ole-package OLE Ole10Native stream: ObjectPool/_1081432263/Ole10Native 318 bytes
ole10native_06.bin
4be6dc8320ff7300f5b305c035a5237026f1bcaa4a7126f6e96d4ce2b132a9de		 ole-package OLE Ole10Native stream: ObjectPool/_1082981039/Ole10Native 145 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.