Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 02a47f601f76d88e…

MALICIOUS

Office (OLE) / .DOC

57.0 KB Created: 2010-03-16 12:29:00 Authoring application: Microsoft Word 11.5.6
MD5: 8778a235542db1820f91683a92f38a57 SHA-1: ceca699092b987d842b2b85cdbba46e15b673a82 SHA-256: 02a47f601f76d88e53f4aa03865ab501c658803ab0b6fa536792ec17784f181c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro. This macro is designed to execute automatically when the document is opened, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Thus-8' further confirms its malicious nature. The document body discusses historical events, likely a lure to encourage macro execution.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e6392e4d2f287649065f93caeaa46e6b33d69bc4c42297861ddecc9a198c543b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2128 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.