Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5b6a0b16cf05046e…

MALICIOUS

Office (OLE)

52.5 KB Created: 2009-06-23 02:23:00 Authoring application: Microsoft Word 10.0
MD5: 9d92e022e87623c6771129f47517320d SHA-1: 82bb8ee7e54d93e665c8eae95557104aa714c60b SHA-256: 5b6a0b16cf05046eea38d2d3e11fe182714cdcebfa3b9bda79ab94823b468e87
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The macro likely attempts to download and execute a second-stage payload, as suggested by the ClamAV detection 'Doc.Trojan.Thus-8'. The embedded URLs, particularly 'http://nytimes-se.com/' and 'http://www.shadowdistribution.com/', are suspicious and could be used for payload delivery.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.theyesmenfixtheworld.com/
    • http://www.theyesmenfixtheworld.com
    • http://www.theyesmenfixtheworld.com/press.htm
    • http://www.theyesmen.org/blog/yes-men-honcho-sprung-from-clink
    • http://theyesmenfixtheworld.com/
    • http://www.theyesmen.org/movies/theyesmen
    • http://nytimes-se.com/
    • http://www.filmforum.org/
    • http://www.shadowdistribution.com/
    • http://witness.org/
    • http://www.cnn.com/2009/US/09/22/new.york.fake.newspaper/index.html
    • http://gothamist.com/2009/09/21/ny_post_gets_yes_men_treatment.php
    • http://www.washingtonpost.com/wp-dyn/content/article/2009/09/25/AR2009092502016.html?hpid=opinionsbox1
    • http://www.youtube.com/watch?v=LiWlvBro9eI
    • http://www.cnn.com/2006/POLITICS/08/28/hud.hoax/
    • http://www.reuters.com/article/industryNews/idUSTRE4AC0GV20081113

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cabec65225b78f8c919c7d53833d589ec97934977c8ac694201cf922361ba7ff		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2400 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.