Office (OLE) malware analysis — malicious · 178bdc277b192517

MALICIOUS

Office (OLE)

69.0 KB Created: 2007-05-08 16:32:00 Authoring application: Microsoft Word 10.1

MD5: 6dc88757f05da429c51fd5ce135f2190 SHA-1: 1e6f005c91495f3c603493743537379332fb837f SHA-256: 178bdc277b19251733727b233bbd017bf80a23bd173c86f6ef0253ee7744fe0e

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The macro attempts to disable virus protection and copy itself to the Normal template, indicating an effort to achieve persistence. The ClamAV detection 'Doc.Trojan.Thus-8' further confirms its malicious nature.

Heuristics 5

ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-8
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.iec.ch

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f84020e182927bd8b4608ff677d30e53eb099baedcd2e80372db5ce36e05686e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2352 bytes
Detection ClamAV: Doc.Trojan.Thus-8 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.