Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 30258a42de3de81d…

MALICIOUS

Office (OLE)

81.5 KB Created: 1999-12-15 13:11:00 Authoring application: Microsoft Word 8.0
MD5: 36bf0d464065e0fd1b4afecf2ca9f7cf SHA-1: 582d793d1cb495bf84a4af5795476833bf0f4490 SHA-256: 30258a42de3de81dae3f2236c86a48590169e1893f9a2ad00b2f9f1446a92832
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with multiple detections, including 'Doc.Trojan.VMPCK1-16' and 'Doc.Trojan.Ozwer-1'. The presence of VBA macros, specifically AutoOpen and Auto_Close, strongly suggests that the document is designed to execute malicious code upon opening or closing. The document body contains statistical analysis text, which appears to be a lure to disguise the malicious nature of the file.

Heuristics 5

  • ClamAV: Doc.Trojan.VMPCK1-16 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.VMPCK1-16
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7b3dbf65174c8a19bb3054c001e991821eca134634a7eb11f9c649cfede746b6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 29055 bytes
Detection
ClamAV: Doc.Trojan.Ozwer-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.