Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 21f9ec57d71125bf…

MALICIOUS

Office (OLE) / .DOC

448.5 KB Created: 2010-03-04 22:07:00 Authoring application: Microsoft Word 11.5.6
MD5: c85e18ab22e4d8e632402256dd6232ec SHA-1: b3fd1c377e7d10a7ef3c8a24bf9faaa9e4402740 SHA-256: 21f9ec57d71125bffe66accb9c411e55d607a7fe8b8656bdf29252bbdefbe3f9
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The ClamAV detection 'Doc.Trojan.Thus-5' strongly indicates malicious intent. While the document body appears to be a list of animation projects, the presence of the Document_Open macro and the ClamAV heuristic suggest that the macros are responsible for malicious activity, likely downloading a secondary payload from one of the embedded URLs.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-5
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.stephblakey.com
    • http://www.sunrisedocumentary.com
    • http://www.majorg.com
    • http://www.chelseaker.com
    • http://www.mooneater.com
    • http://www.naverniouk.com
    • http://www.jonnyostrem.com
    • http://www.benjamintse.com
    • http://www.shadedreality.com
    • http://kuraitenshi.daportfolio.com
    • http://www.zedlast.com
    • http://annabohn.ca
    • http://trancentive.ca
    • http://www.fionacheng.com
    • http://www.saintea.com
    • http://www.cymbalist.ca
    • http://popyourculture.com
    • http://www.rinatdepicciotto.ca
    • http://saraduell.com
    • http://jennifergriffiths.ca
    • http://billybobkoruna.com
    • http://www.jacobko.com
    • http://www.akuric.com
    • http://www.albertlaw.ca
    • http://www.alupton.com
    • http://www.vitaedesign.ca
    • http://www.ecuad.ca/people/profile/31683/work
    • http://www.kimberly-sutherland.com
    • http://www.pinarundeger.com
    • http://www.dirkwright.com
    • http://www.gambol.ca
    • http://irrriswu.com
    • http://www.hanapy.com
    • http://www.sunyoondesign.com
    • http://www.jenaitken.com
    • http://www.deryaakay.com
    • http://www.susanaili.com
    • http://www.carolineballhorn.com
    • http://www.tincanstudio.org
    • http://www.johnblandart.com
    • http://noahbowman.tk
    • http://www.bluecanvas.com/keelychadwick
    • http://www.elliottlouis.com/artists/wendi_copeland.asp
    • http://leurich.com
    • http://www.joycelindemulder.com
    • http://www.whosemuseum.org
    • http://www.ecuad.ca/~lhau
    • http://www.timothyhelmuth.com
    • http://www.myartspace.com/artistView.do?keyword=Ranee+Henderson&sortby=featured
    • http://www.patriciamacneil.com
    +109 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
87fd1c2ae5bb2b1494ce001203d661903d0b0cc1c14bdc09b9af0e6bb176b070		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2384 bytes
Detection
ClamAV: Doc.Trojan.Thus-5
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.