Office (OLE) / .DOCX malware analysis — malicious · 3db3f93ef8dae5c2

MALICIOUS

Office (OLE) / .DOCX

76.0 KB Created: 2001-05-31 12:35:00 Authoring application: Microsoft Word 8.0

MD5: 3de33c7c734d9109831b5f19c5727cea SHA-1: f0f78113ae7ef3694733342837e5ed662ce95d5e SHA-256: 3db3f93ef8dae5c29589797c5ea383fe5db373fb35dc1e3cc92a545f3dc971b5

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is a Microsoft Word document containing a VBA macro named 'momo'. This macro is detected as malicious by ClamAV and exhibits obfuscation techniques. The presence of an AutoOpen macro suggests that the malicious code is intended to execute automatically when the document is opened, likely to download and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Trojan.Agnes-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agnes-3
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9dc776bc9dacc79790ed031258085f614a14633e6a5baf90710f72093e8761fa`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24885 bytes
Detection ClamAV: Doc.Trojan.Agnes-3 Obfuscation or payload: likely Carved artifact contains 49 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.