Office (OLE) / .EXE malware analysis — malicious · 5d9a8390d59ffee3

MALICIOUS

Office (OLE) / .EXE

90.0 KB Created: 1998-07-16 22:16:00 Authoring application: Microsoft Word 8.0

MD5: 1192e3fb3262cce4f700dd8ac2e2e466 SHA-1: 2f2d6b41f7fbe321ba6468a3e7d5ef31b6185a86 SHA-256: 5d9a8390d59ffee38f54ad69462b8a00c2567edd4cf7f543c51773f02381b488

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for malicious Office documents. The embedded URLs and document body content point to a lure involving criticism of America Online, likely to disguise the malicious intent. The VBA macro attempts to export a file to 'c:\Windows\TiebugA.sys', suggesting it acts as a dropper for a second-stage payload.

Heuristics 4

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.aolsucks.org/service/
- http://www.aolsucks.org/service/busy.html
- http://www.aolsucks.org/service/email.html
- http://www.aolsucks.org/service/web.html
- http://www.aolsucks.org/censor/
- http://www.aolsucks.org/webcens/
- http://www.aolsucks.org/security/index.html
- http://www.aolsucks.org/spam/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a3d4bf5936c3d99a6a615c982e379f248c98fc661f80456e9405d0221b909465`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52474 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.