Win.Trojan.Tristate-2 Office (OLE) / .DOC malware analysis — malicious · 0eaec8263f59353c

MALICIOUS

Office (OLE) / .DOC

71.0 KB Created: 2003-02-16 19:03:00 Authoring application: Microsoft Word 9.0

MD5: 575b34a25b1243464bae71cca64739db SHA-1: c0e3f4aaa2bdd292215fa9c4577c5d4844253676 SHA-256: 0eaec8263f59353c8fbbbd64ed0ccb57e20d73cf17f8822ec95fb7a03ae72408

220 Risk Score

Malware Insights

Win.Trojan.Tristate-2 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is a malicious Microsoft Word document containing VBA macros. The macros use CreateObject and GetObject calls, indicative of malicious intent. The embedded VBA script, 'macros.bas', attempts to manipulate Office application settings and potentially download a second-stage payload by interacting with Excel. The ClamAV detection of 'Win.Trojan.Tristate-2' further confirms its malicious nature.

Heuristics 5

ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Tristate-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `dd5bf08a8a746fe7c35b6e4f371807dc0b644c7f39dffba3c4eab1b35339f2fe`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9421 bytes
Detection ClamAV: Doc.Trojan.Tristate-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.