Malicious Office (OLE) / .DO — malware analysis report

Static analysis result for SHA-256 3c830bd6278892d6…

MALICIOUS

Office (OLE) / .DO

95.0 KB Created: 2006-08-01 07:27:00 Authoring application: Microsoft Word 8.0
MD5: e713f17c0942dda5d25315212f3b60c9 SHA-1: 892b9457af8f6277919d5178aa8a99afef3b4e62 SHA-256: 3c830bd6278892d6f5db03a77391186148b3904ef5a7501a4d0734abd4346a31
368 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing malicious VBA macros, as indicated by multiple high and critical heuristic firings including OLE_VBA_MACROS, OLE_VBA_AUTOOPEN, and CLAMAV_DETECTION. The presence of AutoOpen and Document_Open macros suggests automatic execution upon file opening. The extracted 'macros.bas' file is the primary artifact containing the malicious code. The document body appears to be a lure related to Russian law enforcement, likely to trick the user into opening the malicious document.

Heuristics 10

  • ClamAV: Doc.Trojan.Thus-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-7
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1876656d2d79ec136ad656f6fa9328c6a828ded69b8256c46c206c5f365ad0a9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 69848 bytes
Detection
ClamAV: Doc.Trojan.Thus-7
Obfuscation or payload: likely
Carved artifact contains 24 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.