Win.Trojan.Tristate-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 0859c77c605b38ad…

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-01-12 22:48:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-23
MD5: 4a6f7e18f1e609a8eccc814981cda770 SHA-1: 51633b336d1f4e56c49a7db452dc9865d8995551 SHA-256: 0859c77c605b38adaf9ff4c1c3037a75246104a83af8a1e7ac1c476e92200f9f
68 Risk Score

Malware Insights

Win.Trojan.Tristate-2 · confidence 85%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.Tristate-2. Although the VBA project contains no executable statements according to static analysis, the presence of a VBA macro suggests an attempt to leverage macro execution for malicious purposes, likely as a downloader for a secondary payload. The file's origin as an Office document implies it was likely delivered via spearphishing.

Heuristics 2

  • ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tristate-2
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 248 bytes
SHA-256: 75702493909463bf8093aec8b508fcc96c561fa55dfe899fecd271624a111a7a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True