{
	"id": "fcdfdbd4-1aab-49d1-9a1c-cc0c9202628d",
	"created_at": "2026-04-06T00:07:32.665969Z",
	"updated_at": "2026-04-10T03:21:42.448423Z",
	"deleted_at": null,
	"sha1_hash": "abf7c818fcebe223aea35c4dde17462ba66fc047",
	"title": "Analysis of MS Word to drop Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 572803,
	"plain_text": "Analysis of MS Word to drop Remcos RAT\r\nBy Muhammad Hasan Ali\r\nPublished: 2022-05-05 · Archived: 2026-04-05 14:26:52 UTC\r\nAs-salamu Alaykum\r\nIntroductionPermalink\r\nRemcos RATs are delivered by phishing campaigns in form of Excel file and Word file, our sample is word file.\r\nWhich tries to trick the user to click Enable content which will load the Macro code and then load the next\r\nstage. We start our analysis using REMnux. Download the sample from MalwareBazaar\r\nAbout MS wordPermalink\r\nWe will talk about basic structure of Word file. Microsoft suite comes in two two structures. Before 2007 ,\r\nMicrosoft used structured storage fromat in binary format which is old format .doc , .xls , .ppt such\r\nas from Word 97 (released in 1997) through Microsoft Office 2003. After 2007, Microsoft used office open\r\nXML format in Zip archive containing XML .docx . For more info see here\r\nusing exiftool to extract metadata about the sample which we are analyzing and get more information about it such\r\nas filesize , filetype , Language Code , Comp Obj User Type which shows the eddition of used Microsoft\r\nword, and Template . If there is Normal.dotm which is an indicator of Macro inside the Doc file.\r\nexiftool 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc\r\nFile Name : 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc\r\nDirectory : .\r\nFile Size : 60 KiB\r\nFile Modification Date/Time : 2022:05:05 05:54:50-04:00\r\nFile Access Date/Time : 2022:05:05 02:14:10-04:00\r\nFile Inode Change Date/Time : 2022:05:05 01:55:39-04:00\r\nFile Permissions : rw-r--r--\r\nFile Type : DOC\r\nFile Type Extension : doc\r\nMIME Type : application/msword\r\nIdentification : Word 8.0\r\nLanguage Code : English (US)\r\nDoc Flags : Has picture, 1Table, ExtChar\r\nSystem : Windows\r\nWord 97 : No\r\nTitle :\r\nSubject :\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 1 of 6\n\nAuthor :\r\nKeywords :\r\nComments :\r\nTemplate : Normal.dotm\r\nLast Modified By :\r\nSoftware : Microsoft Office Word\r\nCreate Date : 2022:04:20 02:06:00\r\nModify Date : 2022:04:20 02:06:00\r\nSecurity : None\r\nCode Page : Windows Latin 1 (Western European)\r\nChar Count With Spaces : 1\r\nApp Version : 16.0000\r\nScale Crop : No\r\nLinks Up To Date : No\r\nShared Doc : No\r\nHyperlinks Changed : No\r\nTitle Of Parts :\r\nHeading Pairs : Title, 1\r\nComp Obj User Type Len : 32\r\nComp Obj User Type : Microsoft Word 97-2003 Document\r\nLast Printed : 0000:00:00 00:00:00\r\nRevision Number : 1\r\nTotal Edit Time : 0\r\nWords : 0\r\nCharacters : 1\r\nPages : 1\r\nParagraphs : 1\r\nLines : 1\r\nVBA extraction and analysisPermalink\r\nThen we try to see if the Doc file has a Macros using oleid . If VBA Macros is set to True as we see in next\r\nfigure, then yes it has Macros and the Macro is not encrypted.\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 2 of 6\n\nFigure(1): oleid output\r\nThen we extract the We Then use oledump.py to see the content of the Doc file. The number on the left called\r\nstream number and M indicated that there is Macro and code.\r\nFigure(2): oledump.py output\r\nWe use olevba to extract Macros from the Doc file and analyze the VBA code. After extraction open the file in\r\nVSCode . We can use oledump.py to do this as well, but olevba summerize the important info for us.\r\nolevba 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc \u003e vbacode.vba\r\nThe most important is the table which summerize the VBA code and extracts the important code such as IoCs\r\nand suspicious functions such as AutoOpen() .\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 3 of 6\n\nFigure(3): Extraction of the VBA code\r\nBut this is not enough. We will try to extract much info about the Doc by using oledump.py and extract the\r\ncontent of all the streams but if you want to short your time extract only the streams 9 and 10 .\r\noledump.py 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc -s 9 \u003e stream_9.vba\r\noledump.py 3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc.doc -s 10 \u003e\r\nstream_10.vba\r\nTake your time to analyze the ASCII to extract more info from the next two figures. In this figure, stream 9 IoCs\r\nwhich enables the Doc to launch the VBA code.\r\nC:\\Program files\\Common files\\Microsoft shared\\VBA\\VBA7.1\\VBE7.dll\r\nC:\\Windows\\System32\\stdole2.tlb\r\nC:\\Program files\\Microsoft Office\\root\\Office1.6\\MSWORD\r\nObjectLibrary\r\nC:\\Program files\\Common files\\Microsoft shared\\OFFICE16\\MSO.DLL\r\nautoOpen\r\nCreateObject\r\nInstallProduct\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 4 of 6\n\nFigure(4): Analysis of the VBA code of stream 9\r\nAnd in stream 10 which has less IoCs than stream 9 .\r\nC:.\\Windows.\\System32\\e2tlb\r\nC:\\Program files\\Common files\\Microsoft shared\\OFFICE1.6\\MSO.DLL\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 5 of 6\n\nFigure(5): Analysis of the VBA code of stream 10\r\nFor more info you can use lazy office analyzer tool in Windows or open the malicious word and see the\r\nMacro inside the Microsoft word application. I tried to use it but in this sample gives no info.\r\nIoCsPermalink\r\nNo. Description Hash and URLs\r\n1 The Mal DOC file (MD5 ) 090e1dfdcbf2185788ea14cd113cc39f\r\n3 URL https://filebin.net/rf43v6qzghbj7h7b/TRY.msi\r\nArticle quotePermalink\r\nُيعنيه ظالم العالمني\r\nمن يحمل قنديله في صدره ال \r\nSource: https://muha2xmad.github.io/mal-document/remcosdoc/\r\nhttps://muha2xmad.github.io/mal-document/remcosdoc/\r\nPage 6 of 6\n\nIoCsPermalink No. Description  Hash and URLs\n1 The Mal DOC file (MD5 ) 090e1dfdcbf2185788ea14cd113cc39f\n3 URL  https://filebin.net/rf43v6qzghbj7h7b/TRY.msi\nArticle quotePermalink   \nظالم الع الم ني ُي عنيه صد ره ال م ن يحم ل قنديله في \nSource: https://muha2xmad.github.io/mal-document/remcosdoc/   \n   Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://muha2xmad.github.io/mal-document/remcosdoc/"
	],
	"report_names": [
		"remcosdoc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434052,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abf7c818fcebe223aea35c4dde17462ba66fc047.pdf",
		"text": "https://archive.orkl.eu/abf7c818fcebe223aea35c4dde17462ba66fc047.txt",
		"img": "https://archive.orkl.eu/abf7c818fcebe223aea35c4dde17462ba66fc047.jpg"
	}
}