Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66759583fed12d27…

MALICIOUS

Office (OLE)

34.0 KB Created: 2007-09-04 20:34:00 Authoring application: Microsoft Word 11.3.5
MD5: e0f4e2a83cef3ad76250a5f0d23e7792 SHA-1: c0ff7b2580f68d8511a02a5dd176011bc10564db SHA-256: 66759583fed12d27a43601e5ac98bc823abcc72425ec707a5cd15ac3fd8b2a78
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word document containing a VBA macro that executes upon opening. The macro attempts to disable virus protection and copies itself to the Normal template and all open documents, indicating an attempt at persistence and evasion. The ClamAV detection 'Doc.Trojan.Thus-5' further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-5
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5f3a97e4fb281c182a72f372fc3fa336cfd5e05720d991c712b1da70b22d3ac6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2343 bytes
Detection
ClamAV: Doc.Trojan.Thus-5
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.