Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 26e0af3a1955d8ad…

MALICIOUS

Office (OLE) / .DOCX

54.0 KB Created: 1999-03-31 02:55:00 Authoring application: Microsoft Word 8.0
MD5: 49cd40dfd0ab13eddcdd26bd78dd85a6 SHA-1: 754e6349a5db04dcfd6316352fbf52bd581fd740 SHA-256: 26e0af3a1955d8ada6c24f6c00b8c0fad00e9daef3942ad0b5094b064cbcc02b
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is a Microsoft Word document containing VBA macros. The heuristic firings indicate the presence of VBA macros and a call to CreateObject, along with references to Windows Script Host. The extracted VBA script, 'macros.bas', attempts to use the FileSystemObject to locate and process other HTML or VBS files. It also references 'Word.Application' and 'VBProject', suggesting interaction with the Office application itself. The script's logic implies it's designed to find and potentially execute other malicious content, possibly downloading a second-stage payload. The ClamAV detections further confirm its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Hopper-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-4
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
70296c548a396920ef0ba25eea9293bbee4213d93fd6ab2b0713a55e7f2ab692		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 18269 bytes
Detection
ClamAV: Win.Trojan.Internal-7
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.