Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 2a497e6cf73ee4fb…

MALICIOUS

Office (OLE) / .DOCX

35.0 KB Created: 2000-10-06 15:20:00 Authoring application: Microsoft Word 8.0
MD5: 9c466686f97f6e1d9235697adb0e81d3 SHA-1: 74c67fae409db9575296d70004b5f7dcb0f17830 SHA-256: 2a497e6cf73ee4fb78fb1894cd40b71d973c6bbe94b739435d14b81dd44c1648
180 Risk Score

Malware Insights

MITRE ATT&CK
T1564.004 Hide Artifacts: Defense Evasion T1059.005 Visual Basic

The critical ClamAV detections indicate this file is malicious, specifically identified as Win.Trojan.Pivis-2 and Doc.Trojan.Akuma-2. The VBA macro within the document, triggered by Document_Open, attempts to disable macro security features and clear existing macros using functions like AkumaClear. It also creates and then deletes a file named 'c:\cont.dbl', suggesting it's part of a payload delivery or obfuscation mechanism. The script's intent appears to be defense evasion and preparation for further malicious activity.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b5bb09265de3bda784f43a124904e51cccb3354106a473bb73f84ffbf69af01e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 21371 bytes
Detection
ClamAV: Doc.Trojan.Akuma-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.