Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18146e34da2e3e35…

MALICIOUS

Office (OLE)

29.0 KB Created: 2008-07-16 17:08:00 Authoring application: Microsoft Word 10.0
MD5: f1f4eed2b65c5fe9c02eb6a3849102e4 SHA-1: 1df0a6ea060793acb1812af9775808a651f65d8f SHA-256: 18146e34da2e3e351276f884d2b2e7c07cf8139a80c22323121116e0564cd31c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, flagged as malicious by ClamAV. The VBA macro code appears to be designed to inject itself into other documents and potentially download further malicious content, as indicated by the `AddFromString` and `InsertLines` calls within the `Document_Close` subroutine. The document body itself contains technical specifications for electronic equipment, likely serving as a lure to encourage macro execution.

Heuristics 3

  • ClamAV: Doc.Trojan.Title-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Title-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b4f3c0da8f19a947a457940c6447deaae03774d3cfd0f7df4547cfc16021ece		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2886 bytes
Detection
ClamAV: Doc.Trojan.Title-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.