Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 5888425f1aad79f5…

MALICIOUS

Office (OLE) / .EXE

35.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0
MD5: 4412e6d87bf8ebd00de8428667736cdc SHA-1: 93034a6911a04aa166f3ff0ce50b337e27b862cf SHA-256: 5888425f1aad79f56e549dd737debfd1332190583896789c209944d5d6b6ae50
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a malicious OLE executable by ClamAV. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. While no specific payload or download URL was extracted, the presence of these macros strongly suggests an intent to download and execute a second-stage payload. The document body content appears to be legitimate, indicating the malicious functionality is likely hidden within the VBA code.

Heuristics 4

  • ClamAV: Doc.Trojan.Eight941-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eight941-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97521f5bda33dddb355eb20aa7d05aae7f031710437c7f1b574784abb2fbc587		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2359 bytes
Detection
ClamAV: Doc.Trojan.Eight941-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.