Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 61b20c1f748a9ace…

MALICIOUS

Office (OLE) / .DOC

18.0 KB Created: 1997-09-10 17:27:00 Authoring application: Microsoft Word 6.0
MD5: f9dd8a61629cec52d2b5e03f478edc3f SHA-1: f20dc2454af43082e9953d55ddf24b103c86b6bb SHA-256: 61b20c1f748a9aceeb7b5ca25a8df3075dcfe447f11891f4e872b9a5a1b24d9a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Win.Trojan.Macro-11. Static analysis reveals suspicious findings related to the OLE structure, including empty streams and directory cycles, indicating potential obfuscation or corruption. The presence of 'AUTOOPEN' and references to 'WinJet' within the document body suggest the execution of a macro upon opening.

Heuristics 4

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV: Win.Trojan.Macro-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Macro-11
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00001635.ole
160cdb6aca66b0f86eaf1f327688f2874d22441ce7a5576161ea8b9a92bf134e		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x1635 12747 bytes
Detection
ClamAV: Win.Trojan.Macro-11
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.