Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 2d683d99470281ec…

MALICIOUS

Office (OLE) / .DOCX

40.0 KB Created: 2000-08-28 02:54:00 Authoring application: Microsoft Word 8.0
MD5: 2a09d105f331391edb99221a93df6ec8 SHA-1: a4455f609ec22fc3e11e05848bccad2c36e85d90 SHA-256: 2d683d99470281ec6622ae7d52d6e37ee9beadc0f11faa18e25def0c61583cd8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document containing VBA macros, specifically an AutoOpen macro. This macro is designed to copy itself to the Normal.dot template, which is a common technique for establishing persistence. The ClamAV detection 'Doc.Trojan.Alarm-1' further supports the malicious nature of the file. While the exact payload is not clear from the provided script, the persistence mechanism is evident.

Heuristics 4

  • ClamAV: Doc.Trojan.Alarm-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Alarm-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97b7612bb6f4edb9e36e2114ad95c960d4bb8be393e073aaac035fa2e2648b6f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10008 bytes
Detection
ClamAV: Doc.Trojan.Alarm-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.