Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fee2753559dbe1c4…

MALICIOUS

Office (OLE)

156.5 KB Created: 2017-05-10 08:48:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 51b8124b774fe840b6f455fcc8d3fa54 SHA-1: 2e6ecec899ef15a893911773cf7570452d018416 SHA-256: fee2753559dbe1c48a1a85309388f1ba8bf9f3848e0f983c9828e9590b9981eb
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1055 Process Injection

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the use of the WriteProcessMemory API, which is commonly used for process injection. Although the VBA project itself contains no executable statements, the presence of the WriteProcessMemory API reference strongly suggests that the macro is designed to download and execute a second-stage payload, likely through process injection. No specific family could be identified.

Heuristics 2

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 341 bytes
SHA-256: 9b98e7a7f71521853f6572e28af0ef2db44555d7389b26db15c6fcb5aae0965b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "montana"
Attribute VB_Base = "0{0CAD1601-648B-4505-95F2-2DFC6D5DB687}{DEE098BA-24D6-4122-BA87-999B4E52D169}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False