Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0dca517f9fe98459…

MALICIOUS

Office (OLE)

58.0 KB Created: 2007-12-14 18:53:00 Authoring application: Microsoft Word 11.3.5
MD5: eaa965418ca482dcb028954d9c68f2aa SHA-1: 87f4393fcca6b319f0ec051c4e877f6bfbb097be SHA-256: 0dca517f9fe98459a4e37c7eed2ab844dad16c3cfba6870792e6b875042f712a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic firings, 'Doc.Trojan.Thus-8', indicate a known malicious document. The presence of a 'Document_Open' VBA macro, which is designed to execute automatically when the document is opened, strongly suggests an attempt to establish persistence or download additional malicious content. The macro code appears to copy itself to the Normal template to ensure it runs on subsequent document openings.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97587b4529c1c37ef0614008e3f611c79cacc7e0f72d15a2565e98af8f8ddef7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2024 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.