Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 436c649a28f16678…

MALICIOUS

Office (OLE) / .DOC

30.5 KB Created: 2010-04-13 10:46:00 Authoring application: Microsoft Word 11.1
MD5: 063297d2458061c4f18005e30a7eab89 SHA-1: 644557cadcfc12f2b051004d0585c08daad13dc3 SHA-256: 436c649a28f16678c78d67f093672599fb19a4db7c8b6e80b688e919b010e256
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Ethan-1. Static analysis detected VBA macros within the document, indicating a potential attack vector. The document body is not informative, and no scripts were extracted for further analysis. The primary indicator of maliciousness is the ClamAV detection and the presence of VBA macros.

Heuristics 3

  • ClamAV: Doc.Trojan.Ethan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
96f65c25163fe74a4e1a757154cf7ac5ea85f68781b57ae5a21d734589382608		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1667 bytes
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.