Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5481ce108011c92d…

MALICIOUS

Office (OLE) / .DOC

124.0 KB Created: 2021-09-06 02:16:00 Authoring application: Microsoft Office Word
MD5: 0760f1a4e6a892382abf9ed97adee26d SHA-1: 70fe2e62f7ee5bf8303dd3b27fc664f535ac6ee1 SHA-256: 5481ce108011c92dbc2b8a4a1f34ec001d79632acf3bfa9b81ccd403074ac3c1
262 Risk Score

Malware Insights

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic T1564.004 Disable or Modify Tools

The sample is a malicious Word document containing VBA macros. The macros are designed to disable security features and modify the Normal template to achieve persistence. Specifically, the script attempts to set the macro security level to low and modifies the 'Empirical' module in both the active document and the Normal template. This behavior is indicative of a macro-based malware dropper aiming for persistent execution.

Heuristics 7

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d19a16bd92ecce4cb926350a233408c214785aa1062c88bb53795d8f8c8ce1d4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5897 bytes
Detection
ClamAV: Doc.Trojan.Melissa-12
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.