Office (OLE) / .DOC malware analysis — malicious · 1025972aaef32d1b

MALICIOUS

Office (OLE) / .DOC

730.0 KB Created: 1999-11-19 10:08:00 Authoring application: Microsoft Word 8.0

MD5: bf6a2f6673701d8fdfd271e24488546c SHA-1: 404c21df24d919f4fb335728e9a43b8832dfd008 SHA-256: 1025972aaef32d1b28d338021689803c8cf2144bd32dc693b6d3e41242d7fe27

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro, which is a common technique for initial execution. The macro attempts to disable virus protection and exports a component to 'c:\class.sys', indicating a likely downloader or dropper functionality. The presence of AutoOpen and AutoClose macros, along with ClamAV detections, strongly suggests malicious intent.

Heuristics 5

ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Class-37
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a2c19397ceeb9987175e28cece3799a98aa87a056fb87ecce0cad64154eda9fa`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11473 bytes
Detection ClamAV: Doc.Trojan.Class-5 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.