Doc.Trojan.Xaler-1 Office (OLE) / .DOC malware analysis — malicious · 0114f5431d4e6bbb

MALICIOUS

Office (OLE) / .DOC

159.5 KB Created: 2010-04-15 03:26:00 Authoring application: Microsoft Word 8.0

MD5: 5392f8d60c1c9246a5752a8a795eec23 SHA-1: 6e2b74146f93c07f7b17acf0dd5821b25a5c6759 SHA-256: 0114f5431d4e6bbba59c74b69c0bd33edebca0fe7889a2164a311afa82ee0521

180 Risk Score

Malware Insights

Doc.Trojan.Xaler-1 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Word document containing a VBA macro that is automatically executed via the Document_Open subroutine. The macro attempts to export its own code to a temporary file and then re-inject it into the Normal template or the active document, potentially to establish persistence or modify behavior. The ClamAV detection name 'Doc.Trojan.Xaler-1' strongly suggests this family and its typical behavior of downloading and executing further stages.

Heuristics 4

ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xaler-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f5cd198ab60e51628a6cde2e2a459cdd6e1f32021449237078e43d04b13ee809`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	249152 bytes
Detection ClamAV: Doc.Trojan.Xaler-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.