Malicious Email / .MSG — malware analysis report

Static analysis result for SHA-256 69061c38e23265ef…

MALICIOUS

Email / .MSG

966.0 KB
MD5: 9515233315b111a929959862deca9349 SHA-1: ca3e9a53a984b09d310a2f37218199a706b00ebd SHA-256: 69061c38e23265ef7a9c945bf308af4423c8f743eaa4f5ea5313b82cdde23a28
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an email message containing embedded OLE objects, one of which has suspicious static findings including appended payload bytes and VBA macros. The Document_Open macro is present and attempts to disable virus protection and copy itself to other documents, indicating an attempt to establish persistence and evade detection. The ClamAV detection further confirms its malicious nature. The VBA script appears to be designed to download and execute a second-stage payload, though the exact URL or execution method is truncated.

Heuristics 8

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 970,240 bytes but its declared streams total only 47,280 bytes — 922,960 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Limited .msg parsing info EMAIL_MSG_LIMITED
    The .msg format requires the 'extract-msg' library for full analysis. Install it with: pip install extract-msg. Basic text scanning was performed.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2666cba01ac748b4cab3cd822668ed174fbcab1edc12fde18d59f3ab4d63fb3c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2461 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely
embedded_office_off00004a00.ole
bbf9097c7aeb257408e5a62c16db9838f35eeef61c8db8bdf749718fe0fdd005		 embedded-office Embedded OLE/CFB Office body inside email container at offset 0x4A00 970240 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely
embedded_office_off00014600.ole
d24d505a0580972d1406cdaeb8b561c6fad8a12ed68be2058ee95aeb5bcb9744		 embedded-office Embedded OLE/CFB Office body inside email container at offset 0x14600 905728 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely
embedded_office_off0006ac00.ole
67c8892b62b1d6a46ddb2dee6a69c9769953d2c8accdf4a392a2edb9c529ecc7		 embedded-office Embedded OLE/CFB Office body inside email container at offset 0x6AC00 551936 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.