Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 402b9d7e8f6e05b3…

MALICIOUS

Office (OLE) / .DOC

2.06 MB Created: 2000-03-14 13:18:00 Authoring application: Microsoft Word 8.0
MD5: 49f2a4ffe517263ca493368babba3cb0 SHA-1: c7d542d7c499ecf667991f44b4ff70e03cfe350f SHA-256: 402b9d7e8f6e05b373663f215ea8d3ffdc2d9432e8cd919c6254a6a61a4a3fd6
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with multiple signatures indicating it is a dropper or trojan. The presence of VBA macros (1701 bytes) strongly suggests that these macros are responsible for the malicious behavior, likely downloading and executing a second-stage payload. The ClamAV detections 'Doc.Dropper.Agent-6538852-0' and 'Doc.Trojan.Ethan-1' further support this assessment.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6538852-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6538852-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nwalsh.com/docbook/dsssl/
    • http://nwalsh.com/
    • http://www.adabas.com/
    • http://www.hughes.com.au
    • http://www.tcx.se
    • http://users.ids.net/~bjepson/freeODBC/
    • http://www.solidtech.com
    • http://www.raima.com
    • http://my.host/cgi-bin/php/secret/doc.html
    • http://my.host/secret/doc.html
    • http://www.umesd.k12.or.us/php/win32install.html
    • http://www.netvision.net.il/browser-id.php3
    • http://www.genusa.com/iis/iiscfg.html
    • http://www.qmail.org/
    • http://ma.machine/cgi-bin/php?/etc/passwd
    • http://ma.machine/cgi-bin/php/secret/doc.html
    • http://ma.machine/secret/script.php3
    • http://ma.machine/cgi-bin/php/secret/script.php3
    • http://ma.machine/cgi-bin/php/dir/script.php3
    • http://ma.machine/dir/script.php3
    • http://ma.machine/cgi-bin/php/secretdir/script.php3
    • http://ma.machine/~user/doc.php3
    • http://genealogy.org/~scottlee/cal-overview.html
    • http://www.fastio.com
    • http://www.fileproplus.com/
    • http://www.iicm.edu/
    • http://www.hyperwave.com/
    • http://hote/mon_objet
    • http://host/php3_script/mon_objet
    • http://host/Hyperwave
    • http://www.hyperwave.de/7.17-hg-prot
    • http://votre.hote/Hyperwave/nom_objet
    • http://votre.hote/nom_objet
    • http://www.xe.net/iptc/
    • http://www.openldap.com/
    • http://elvira.innosoft.com/ldapworld
    • http://www.math.keio.ac.jp/~matumoto/emt.html
    • http://sasweb.de/mhash/
    • http://www.ifconnection.de/~tm/
    • http://www.ifconnection.de/~tm/software/pdflib/PDFlib-0.6.pdf
    • http://www.cdrom.com/pub/infozip/zlib/
    • http://www.guardian.no/~ssb/phpxml.html
    • http://www.ora.com/davenport/
    • http://www.jclark.com/dsssl/
    • http://www.jclark.com/jade/
    • http://www.jclark.com/bio.htm
    • http://www.php.net/
    • http://www.openlinksw.com/
    • http://www.oracle.com
    • http://www.postgreSQL.org/
    +25 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
20ecf05e8c31ad61db225a25ea2b43aa4a2a2fa3e82b7d59c0ae635c12323a55		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1701 bytes
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.