W97M.Kodak Office (OLE) / .DOC malware analysis — malicious · 1a7bf1f46660a66d

MALICIOUS

Office (OLE) / .DOC

30.5 KB Created: 2001-06-05 10:35:00 Authoring application: Microsoft Word 9.0

MD5: 84a74bcf024ac4779d20e2b667bc6da6 SHA-1: 99cbae9ae51381d5f7eb637b12d42e790f48db33 SHA-256: 1a7bf1f46660a66d226c7a00b06c7c320b7ee0e23f79d42ce5608a18ed789813

220 Risk Score

Malware Insights

W97M.Kodak · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1036.005 Match Legitimate Name or Location

The AutoOpen macro in the VBA script saves a copy of the document as 'C:\Windows\Kodak.doc' and creates a script file 'C:\script.drv'. This script file is then copied to various mIRC script directories, likely to facilitate further malicious activity or communication. The script also attempts to modify Word security settings to allow macros. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Adok-1' further supports the malicious nature of this document.

Heuristics 5

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e8a78e2dfee9f4f3e97dd156ed8dabc318aba3a7db96a23a0bc4b4a0975ccba1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3316 bytes
Detection ClamAV: Doc.Trojan.Adok-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.