Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1113c80eee2d2f41…

MALICIOUS

Office (OLE)

37.0 KB Created: 2002-05-22 23:21:00 Authoring application: Microsoft Word 8.0
MD5: bd430d6b0506958dee8406fd8e1b6c47 SHA-1: cfd65f445b27eda5a01cc13ac7f744171903f4a6 SHA-256: 1113c80eee2d2f415963b0cb539e49cfeaf7976c8cc26db6618b32d8be3185fa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The script attempts to export itself as 'ascii.vxd' and import it into the active document or NormalTemplate, suggesting an attempt to establish persistence or load a secondary payload. The ClamAV detection as 'Doc.Trojan.Wrench-4' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Wrench-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wrench-4
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
719ced780710befe439343e243a352e26b82fb06fa49c81197a7ef3f07513489		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.