Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0240144747cd74aa…

MALICIOUS

Office (OLE)

128.0 KB Created: 2002-04-15 07:15:00 Authoring application: Microsoft Word 8.0
MD5: 40eaadb0a27cf3804b7420480d8bbe62 SHA-1: a90e4063900eb04a4cd9f57aa65a855297a4d6c4 SHA-256: 0240144747cd74aa47f68735b26374c76a8139fc54472a3dead646e6038b95f7
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro that is automatically executed via the Document_Open subroutine. This macro utilizes the Shell() function, indicating an attempt to execute external commands or download additional payloads. The presence of ClamAV detections further supports its malicious nature. The macro's logic appears to be designed to download and execute a second-stage payload, though the exact URL is not directly embedded in the provided script excerpt.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monteiasi.it

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
228ee5d26f6846d4ba5a8d1e2a1bca6a51cf4215dae954459afc8df34513a659		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 31096 bytes
Detection
ClamAV: Doc.Trojan.Eight941-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.