Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10c551e57851226d…

MALICIOUS

Office (OLE)

30.5 KB Created: 2008-07-16 17:00:00 Authoring application: Microsoft Word 10.0
MD5: f641ea358f0e5f56a8139c384e97e924 SHA-1: a08e619b0b1b4e9cb75b0cdc15a17d8e5944182a SHA-256: 10c551e57851226d467a02c2e56d07aa923375cdc72d0ea846d95368c8408fbe
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1505.003 Server Software Component: Visual Basic for Applications

The sample is a malicious Office document containing VBA macros. The macros appear to be designed to infect other documents by copying themselves into them. The script also contains logic that suggests an attempt to establish persistence, although the exact mechanism is truncated. The ClamAV detection 'Doc.Trojan.Title-1' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Title-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Title-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b4f3c0da8f19a947a457940c6447deaae03774d3cfd0f7df4547cfc16021ece		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2886 bytes
Detection
ClamAV: Doc.Trojan.Title-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.