Office (OLE) / .DOC malware analysis — malicious · 3971ec25332d7884

MALICIOUS

Office (OLE) / .DOC

64.5 KB Created: 2008-04-22 10:46:00 Authoring application: Microsoft Word 10.1

MD5: 656d84d0325083af27f5f9f3bfad6874 SHA-1: 52c46e6ee86032edbf761e0d78de0255b920b415 SHA-256: 3971ec25332d78847fec9d3e7b533617b431a64d272a21082af9cc500dde1ac5

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing a VBA macro, specifically triggered by the Document_Open event. Heuristics indicate VBA string obfuscation, and ClamAV identifies it as 'Doc.Trojan.Story-1'. The presence of the Document_Open macro and obfuscated VBA code strongly suggests the intent is to execute malicious code upon opening the document, likely to download and run a second-stage payload.

Heuristics 4

ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Story-1
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c7c9a62b66923494ff2bdd7a0dee99f34e0ccc842de210f47d45841c64f6fb19`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7054 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 9 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.