Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f62e456eb14e6de…

MALICIOUS

Office (OLE)

40.5 KB Created: 2004-10-06 03:21:00 Authoring application: Microsoft Word 8.0
MD5: a7c8ab5c4be76b101699c8a8203153f1 SHA-1: a91741cfbdf982771bee45643d352a8cf69698b3 SHA-256: 1f62e456eb14e6de714aefc7ca4f823cd0344ab053d70c1c162b5259480f18ec
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document containing VBA macros, including AutoOpen, Document_Open, and Auto_Close, indicating malicious intent. ClamAV detections identify it as Win.Trojan.Psycho-3 and an extracted artifact as Doc.Trojan.Nori-1. The document body fabricates an urgent plea for building repairs to trick the user into enabling macros, which are known to be used for downloading and executing further malicious content.

Heuristics 6

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
37a84b094a7305e594f98577bee86bab70e3d4b8b0cd3942dcd9ab8b0dc126e9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 22669 bytes
Detection
ClamAV: Doc.Trojan.Nori-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.