Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42cbf7dcc188ee4d…

MALICIOUS

Office (OLE)

49.0 KB Created: 2005-06-08 23:30:00 Authoring application: Microsoft Word 10.1
MD5: da15640bc67f7ec7f9fdbf218221ff25 SHA-1: d45a1a45bdd02499e08ba2cad66ecbe327b18607 SHA-256: 42cbf7dcc188ee4d77300179a8b9f66936bcf139154aefba92781ea29ca44998
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The document body contains several hyperlinks that, when clicked, could lead to the download of further malicious content or redirect the user to phishing sites. No specific malware family could be identified, but the presence of macros and embedded URLs suggests a downloader or initial access vector.

Heuristics 5

  • ClamAV: Doc.Trojan.Marker-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.rbmarketing.com/FCI/fs2000l.html
    • http://www.rbmarketing.com/FCI/press/FCI-FS2000L.doc
    • http://www.fluidcomponents.com/ProdFS2000L.htm
    • http://www.fluidcomponents.com
    • http://www.rbmarketing.com/FCI/fs2000l.htmlNR
    • http://www.rbmarketing.com/FCI/press/FCI-FS2000L.docData
    • http://www.fluidcomponents.com/ProdFS2000L.htmNon-Invasive

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bd10700919a9a1fcf36965134b11c5196b79f67cd9e3a9e459d9dc3c513eebe2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4229 bytes
Detection
ClamAV: Doc.Trojan.Marker-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.