Office (OLE) / .DOC malware analysis — malicious · f9bd3a815beaf9e9

MALICIOUS

Office (OLE) / .DOC

1.59 MB Created: 2021-12-07 15:54:00 Authoring application: Microsoft Office Word

MD5: 9168703c6e3c385d371ab19d8f3c8ad7 SHA-1: 4c42b07b32c4be8693a9cff8065f3a63de2af1b4 SHA-256: f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing a VBA macro with an AutoOpen subroutine. The macro attempts to write obfuscated content to files named '1.png' and '2.png' within the 'c:\.intel\.rem\' directory, and creates a directory 'c:\.intel\.rem\.lang'. The VBA code appears to be designed to download and execute a second-stage payload, indicated by the file operations and the use of external library calls. The large slack space in the OLE structure is also a common indicator of malicious documents.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,668,804 bytes but its declared streams total only 980,429 bytes — 688,375 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `265affc1d78dfc8c8bf6efd573767fe8636d5a4ca03229666c7634bced48dbca`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	49451 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.