MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of VBA macros and a critical ClamAV detection for 'Doc.Trojan.Maldade-10036492-0' strongly suggests malicious intent. The VBA macro, though simple, is indicative of a downloader or initial execution vector for a more complex payload. The Maldade family is known for its use of such techniques to deliver further malware.
Heuristics 3
-
ClamAV: Doc.Trojan.Maldade-10036492-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Maldade-10036492-0
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 40 bytes |
SHA-256: 6b26a80de8d277c621ed1b1f6085c2e75914969f4645422ebdff161b3f68329f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Sub Hello()
Dim X
X=MsgBox("Hello VBS")
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 17920 bytes |
SHA-256: eee61aee489b3375664e7752400b928ab8f6e2a00fc0a3b794bde2924b06c132 |
|||
|
Detection
ClamAV:
Doc.Trojan.Maldade-10036492-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.