Office (OLE) malware analysis — malicious · 59ed9aecee9d19ff

MALICIOUS

Office (OLE)

76.0 KB Created: 2009-09-08 17:10:00 Authoring application: Microsoft Word 11.5.0

MD5: 8f129f487a963b0b3b6378c3b3360632 SHA-1: 05ab20528aa1b746870fc2781fd0d41eedfca063 SHA-256: 59ed9aecee9d19ff59e6ccb0a245fa7443a258f6517c4035999e719e5279fbbc

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body presents a benign book report form, likely as a lure to trick the user into enabling macros. The presence of VBA macros and the Document_Open execution trigger strongly suggest a macro-based malware delivery mechanism. No specific family could be identified, and no external IOCs were extracted.

Heuristics 4

ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-10
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b5262cd29a887f937b7884a7260badecceb4665d77caed7933f83bf4a9797b7c`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1957 bytes
Detection ClamAV: Doc.Trojan.Thus-10 Obfuscation or payload: unlikely
`icc_00_off000001d3.icc` `2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63`	pdf-icc-profile	PDF ICC profile at offset 0x1D3	1456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.