Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 39c1f7db1abb9468…

MALICIOUS

Office (OLE) / .DOCX

40.5 KB Created: 1999-10-23 21:12:00 Authoring application: Microsoft Word 8.0
MD5: 35a9ca20c1782dd2eb990c08c5f647be SHA-1: 66393a6b2248848d08acab192905acf695b06f4d SHA-256: 39c1f7db1abb9468068997a742339c5bc4ef051eb545966daa6a823da3b2a954
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The macros attempt to infect the Normal.dot template and other workbooks by copying code, suggesting an attempt at persistence or propagation. The ClamAV detection 'Doc.Trojan.Hopper-6' and heuristic firings for CreateObject and GetObject calls further indicate malicious intent. The script's behavior of manipulating NormalTemplate and ActiveDocument code modules points towards an attempt to establish persistence or spread.

Heuristics 6

  • ClamAV: Doc.Trojan.Hopper-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-6
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a0dd17f152df287f28819ea5a7eca128a5249f73a2f904403bb92f9b42764bca		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4519 bytes
Detection
ClamAV: Doc.Trojan.Hopper-6
Obfuscation or payload: likely
Carved artifact contains 16 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.