Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 17763873bf94a18a…

MALICIOUS

Office (OLE) / .DOC

3.10 MB Created: 2010-04-23 09:38:00 Authoring application: Microsoft Office Word
MD5: d9dc60d27900d1bf2a54680e8ee4bd6f SHA-1: 465d5633257182f1c4d2ec6672fac26722d0d395 SHA-256: 17763873bf94a18abc96b2632a9362c5d585ed6552712d24adf1bf3c975ebe97
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The 'macros.bas' script includes an 'AutoNew' subroutine which is designed to copy the 'Modul_CD' macro module to newly created documents. This suggests an intent to propagate the macro or ensure its execution in subsequent documents. No malicious URLs or other direct indicators of compromise were found within the provided evidence.

Heuristics 2

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
37f21e40398e627bea5730e592bec6ae20c876124edf1c120b19075d330d3a49		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3339 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.