Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1439dcf4c1fd6eca…

MALICIOUS

Office (OLE) / .DOC

54.0 KB Created: 2010-06-10 06:20:00 Authoring application: Microsoft Office Word
MD5: 34d00a7d279f485f86af6384df56352b SHA-1: a9df43adf2649fec090c0bef5a9975c24588f63d SHA-256: 1439dcf4c1fd6ecac2f8c8d4347e457980fe69588c268b5a104f32010d00eb3f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically a 'Document_Open' macro, which is a common technique for initial execution. The macro attempts to infect the Normal template and inject code, indicating a downloader or dropper functionality. The presence of the 'Uzkresti' subroutine and attempts to add references to 'VBIDE' suggest the macro's intent is to spread and execute further payloads.

Heuristics 5

  • ClamAV: Doc.Trojan.Microb-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Microb-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsof�
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
67d7c84e268231bb89d861c699940227643f0c2f957b63f573792d8ac720a0a8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4614 bytes
Detection
ClamAV: Doc.Trojan.Microb-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.