Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 635d8067df3c3318…

MALICIOUS

Office (OLE)

60.5 KB Created: 1999-09-12 18:10:00 Authoring application: Microsoft Word 8.0
MD5: ae6fe18c1850dfdcd11fc83095f397d2 SHA-1: f1bcfbdec548cefd0c6c55badf0d6d9d995e36e8 SHA-256: 635d8067df3c33186d4f4603207afbb6b09403fed9b6331d79a39b2cb41e64d8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.CyberHack-1. It contains VBA macros, including an AutoOpen macro, which are often used to execute malicious code upon opening the document. The script attempts to disable macro security features and manipulate the user interface, suggesting an intent to download and execute further payloads.

Heuristics 4

  • ClamAV: Doc.Trojan.CyberHack-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.CyberHack-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c55f80702645d42afa9e28f69e8a4ce8a53e96b9b873d910ee15c201968f73d2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 18818 bytes
Detection
ClamAV: Doc.Trojan.CyberHack-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.