Office (OLE) / .EXE malware analysis — malicious · 1f1171b2f98f3edc

MALICIOUS

Office (OLE) / .EXE

36.5 KB Created: 2000-03-27 13:58:00 Authoring application: Microsoft Word 8.0

MD5: 0f2acfb95c97452d79ff3ccce3c70af4 SHA-1: a683b3a9f6e2ca4a5bdb26b717cd60a9a3ded60c SHA-256: 1f1171b2f98f3edcf481e44d026fd4c7aae39b06482e9e787e11685a499945e0

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Nottice-1. It contains VBA macros, including AutoOpen and Auto_Close, indicating an attempt to execute code automatically. The macros likely establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy, a common technique for malware to ensure it runs on system startup.

Heuristics 5

ClamAV: Doc.Trojan.Nottice-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nottice-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `24df617a77fde5edd9d82990c96ac3634aae338c21218734c38187294ad94fe3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1774 bytes
Detection ClamAV: Doc.Trojan.Nottice-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.