Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 07fa755cf18f20ad…

MALICIOUS

Office (OLE)

31.0 KB Created: 1990-01-20 22:00:00 Authoring application: Microsoft Word 11.2
MD5: 33e8ba40995c80f00a61e60ff539bceb SHA-1: 96dda8e132d97cd2b136932570bffbfe2416347b SHA-256: 07fa755cf18f20ad922329021b822308a8b47317481227fa1c1eaa93d2f79517
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The macro attempts to disable virus protection and ensure its own persistence by copying itself to the Normal template and other open documents. The ClamAV detection 'Doc.Trojan.Thus-8' further confirms its malicious nature. The macro's logic suggests it aims to establish persistence and likely download additional payloads, though the full execution chain is truncated.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
90ce42962075fb537f7475542da7b4ee2c504ac1209ee30c080b5bb4fd4df4f6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2368 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.