Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2bae4edeed92f1b3…

MALICIOUS

Office (OLE)

1.09 MB Created: 2002-04-14 11:58:00 Authoring application: Microsoft Word 10.0
MD5: 120fa503fd4c3bfa91c3e52c1b27cf7a SHA-1: 7e3dc356f6e1a6eed47d210a0acfaacd44bbde04 SHA-256: 2bae4edeed92f1b37b1290d1d43bc57aab8ae0b28fdf10c7ec621ff0fd37a5ad
368 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OLE document containing VBA macros, including AutoOpen and Auto_Close functions, indicating an attempt to execute code upon opening or closing. Critical heuristics indicate the use of Shell() and CreateObject(), suggesting the execution of external commands or the creation of objects to facilitate malicious actions. The embedded URL http://www.coderz.net/zerogravity is likely used for payload delivery. The document body presents a disclaimer, attempting to preemptively absolve the author of responsibility and encourage macro execution.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Win.Trojan.U-74 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.U-74
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.coderz.net/zerogravity

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
26d3fa31207738a5304a80bf59fb4b22621b10401c56826c4c2ed7760acc345a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 47779 bytes
Detection
ClamAV: Win.Trojan.U-74
Obfuscation or payload: likely
Carved artifact contains 141 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.