Office (OLE) / .DOC malware analysis — malicious · 646d7d98bb1a8f67

MALICIOUS

Office (OLE) / .DOC

28.5 KB Created: 2010-05-12 15:11:00 Authoring application: Microsoft Word 11.5.6

MD5: aa1cf88e6f1bbdeb4fbe3657c5e62c3e SHA-1: 1d4df15115f526bfa6f097574b159182e96c2497 SHA-256: 646d7d98bb1a8f67ee13affc2cc4a557ffe459397168391c1a7178b88aabdcc5

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The heuristic firings and ClamAV detection strongly indicate malicious intent. The macro appears to be designed to ensure its presence and potentially download or execute a second-stage payload, though the script is truncated.

Heuristics 4

ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-8
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f42c9a951f2c3e9fa1d90dac6930fdc1b99834e7990c87d2cbc6a204cae86178`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2358 bytes
Detection ClamAV: Doc.Trojan.Thus-8 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.