Office (OLE) / .EXE malware analysis — malicious · 17ebf469dd98f3f3

MALICIOUS

Office (OLE) / .EXE

44.0 KB Created: 1998-08-07 12:31:00 Authoring application: Microsoft Word 8.0

MD5: 29f569009eaf81ce3697cbf7eda61dec SHA-1: 695b6bfb135204f82d69efed8e67f8e8c3eb3f30 SHA-256: 17ebf469dd98f3f36d82cc026021f3cc85124387d387ef902557a64326a01957

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro attempts to export itself as 'Yvonne.sys' to the startup directory and also references 'msfile.bat' in the startup directory, suggesting a payload delivery mechanism. The ClamAV detection as 'Win.Trojan.Pivis-2' further supports its malicious nature.

Heuristics 3

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0abd90ac0dfb4a77d1ec40a80d611857364d161de3b3068c9703e0f544113da7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32735 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.