Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 3a790405c981ba9b…

MALICIOUS

Office (OLE) / .DOCX

45.0 KB Created: 1995-07-13 12:50:00 Authoring application: Microsoft Word 8.0
MD5: 83a045f7c12c9a00915b85d530379002 SHA-1: 473a7e6eaee3a261f1e401786262b0b6e8971993 SHA-256: 3a790405c981ba9bbce77265ce9167df25bfd7a7cf6416af650e76dce2444372
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros, specifically an AutoOpen macro, which is a common delivery mechanism for malware. The macro attempts to display messages to the user, including one suggesting the file might be infected. While the script is truncated, the presence of AutoOpen and the ClamAV detection (Doc.Trojan.Allen-2) strongly indicate malicious intent, likely to deceive the user or initiate further malicious actions.

Heuristics 4

  • ClamAV: Doc.Trojan.Allen-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Allen-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1ce72b9b5de3b5ed5c630f5021f159e37d840c1a8fa4fd9205141cf4d25e2272		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7322 bytes
Detection
ClamAV: Doc.Trojan.Allen-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.