Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 650e3f6cfc650c2b…

MALICIOUS

Office (OLE) / .EXE

36.5 KB Created: 2000-03-27 13:58:00 Authoring application: Microsoft Word 8.0
MD5: 153bb7e29a721006857b9206b03b1390 SHA-1: 29cc67f67a006acd082943e9514590a927515a4e SHA-256: 650e3f6cfc650c2baa00230d2f695dd56b74b1abed38592f3dd4e7d71a4323f4
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, including AutoOpen and AutoClose functions, which are designed to execute automatically when a document is opened or closed. The script attempts to copy itself to other documents and global templates, indicating a self-propagation or persistence mechanism. The presence of AutoOpen and AutoClose macros, along with the explicit copying of 'WININIT' and 'AutoClose' to other locations, strongly suggests a macro-based infection strategy.

Heuristics 5

  • ClamAV: Doc.Trojan.Nottice-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Nottice-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
24df617a77fde5edd9d82990c96ac3634aae338c21218734c38187294ad94fe3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1774 bytes
Detection
ClamAV: Doc.Trojan.Nottice-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.