Office (OLE) / .VOC malware analysis — malicious · 1adcedbbc83a066e

MALICIOUS

Office (OLE) / .VOC

34.5 KB Created: 1998-09-21 18:46:00 Authoring application: Microsoft Word 8.0

MD5: b27e78ee587ebbc310cab4dcce36fe11 SHA-1: a46150725edd7ffdabb5fd9813d4cb9f9a8377f8 SHA-256: 1adcedbbc83a066ed23a129e34d54341d48157a7b26326652e8a7e062aa2b538

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically triggering AutoOpen and AutoClose events. ClamAV detections indicate it is a known Trojan. The presence of the 'macros.bas' file and the AutoOpen heuristic strongly suggest the document is designed to execute malicious VBA code upon opening, likely to download and execute a secondary payload. The document body contains references to 'Project.OutBreak' and 'Virus Lab', which may be related to the malware's origin or name.

Heuristics 5

ClamAV: Doc.Trojan.Outbreak-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Outbreak-6
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `20166ffb37ff6c791252e7c4a84dd859033af1efccae56b4833fe2c2531cbbe3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5323 bytes
Detection ClamAV: Doc.Trojan.Outbreak-6 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.