Office (OLE) malware analysis — malicious · 44f496901a56556e

MALICIOUS

Office (OLE)

127.0 KB Created: 2001-05-17 07:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8f853eefa0b53e5cd4049c83de81a44f SHA-1: d8c0bc88728e2c6de0fc5f59f2fb3f52771117a2 SHA-256: 44f496901a56556e43bce23c4dc837c5e9aa658385e8b1fb9822ad30dd839bac

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing a large VBA macro, indicated by multiple high-severity heuristics including OLE_VBA_MACROS and OLE_VBA_AUTOOPEN. The macro is designed to execute automatically when the document is opened, a common technique for delivering malicious payloads. The ClamAV detection further confirms its malicious nature.

Heuristics 5

ClamAV: Doc.Trojan.Marker-17 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-17
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	199025 bytes
SHA-256: `80e2f7279f204b9d55b94e723210aa5c8d2454eb5912e0ca912d64b082f546ff`
Detection ClamAV: Doc.Trojan.Marker-17 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ' Quack ' VAL ' Hacker From Batangas ' 5/17/2001 7:50:49 AM ' ' Quack ' VAL ' Hacker From Batangas ' 5/17/2001 7:50:31 AM ' ' NAP ' N ' ' 19/04/01 18:47:19 ' ' NAP ' N ' ' 19/04/01 15:06:23 ' ' NAP ' N ' ' 19/04/01 14:18:47 ' ' NAP ' N ' ' 19/04/01 11:31:31 ' ' NAP ' N ' ' 19/04/01 10:46:34 ' ' NAP ' N ' ' 18/04/01 16:07:04 ' ' NAP ' N ' ' 18/04/01 09:24:55 ' ' NAP ' N ' ' 17/04/01 17:03:04 ' ' NAP ' N ' ' 17/04/01 11:56:04 ' ' NAP ' N ' ' 17/04/01 10:57:36 ' ' NAP ' N ' ' 16/04/01 15:43:09 ' ' NAP ' N ' ' 16/04/01 15:15:47 ' ' NAP ' N ' ' 16/04/01 09:26:03 ' ' NAP ' N ' ' 16/04/01 09:21:10 ' ' Lab Informatica ' LI ' ' 16/04/2001 08:58:04 ' ' Lab Informatica ' LI ' ' 11/04/2001 16:27:24 ' ' Lab Informatica ' LI ' ' 11/04/2001 12:57:46 ' ' Lab Informatica ' LI ' ' 10/04/2001 17:26:31 ' ' Lab Informatica ' LI ' ' 10/04/2001 16:55:13 ' ' Lab Informatica ' LI ' ' 10/04/2001 13:55:43 ' ' Lab Informatica ' LI ' ' 10/04/2001 13:53:56 ' ' Lab Informatica ' LI ' ' 10/04/2001 09:22:39 ' ' Lab Informatica ' LI ' ' 10/04/2001 09:21:46 ' ' Lab Informatica ' LI ' ' 09/04/2001 22:03:34 ' ' Lab Informatica ' LI ' ' 09/04/2001 21:27:37 ' ' Lab Informatica ' LI ' ' 09/04/2001 17:27:19 ' ' Lab Informatica ' LI ' ' 09/04/2001 12:14:39 ' ' Lab Informatica ' LI ' ' 09/04/2001 09:46:57 ' ' Lab Informatica ' LI ' ' 09/04/2001 09:36:30 ' ' Lab Informatica ' LI ' ' 06/04/2001 16:10:40 ' ' Lab Informatica ' LI ' ' 05/04/2001 15:19:57 ' ' Lab Informatica ' LI ' ' 05/04/2001 15:16:55 ' ' Lab Informatica ' LI ' ' 05/04/2001 12:22:34 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:39:01 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:38:35 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:37:34 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:30:02 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:29:26 ' ' Lab Informatica ' LI ' ' 05/04/2001 11:28:33 ' ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.