Malicious Office (OLE) / .LOR — malware analysis report

Static analysis result for SHA-256 6348c3b21ca8cf6e…

MALICIOUS

Office (OLE) / .LOR

84.0 KB Created: 2010-03-11 22:06:00 Authoring application: Microsoft Word 11.5.6
MD5: 77d2cc4a45e379ad5c5b0d5cc6149a39 SHA-1: 3da0cecc6770cb232d5861a4be9449dc4ce7ca99 SHA-256: 6348c3b21ca8cf6e5c1d46ef56b69ca3ea56e8a774e5ca2871f662803010c7bd
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains a VBA macro that executes upon opening the document. This macro is designed to copy itself into the Normal template and potentially other open documents, which is a common technique for establishing persistence or spreading malware. The ClamAV detection name 'Doc.Trojan.Thus-8' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aa92088ec826fb2718584539035df609af62307bde39883f630f395c8c1015d9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2369 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.