Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6c95f9592955ed90…

MALICIOUS

Office (OLE) / .DOC

118.0 KB Created: 2010-03-01 17:58:00 Authoring application: Microsoft Word 11.5.5
MD5: e377cfdc8c70f5ebe8f623c4c614b6e6 SHA-1: 245e49de46279cbb2f789d1612726c08c81fa3a1 SHA-256: 6c95f9592955ed90ee576e6545fb6d068f68b586ecb2532a9828b1f19f45403c
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening or closing the document. The document body presents a fake management agreement, acting as a lure to encourage macro execution. The presence of VBA macros strongly suggests an attempt to download and execute a secondary payload.

Heuristics 4

  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8dfd95711449b9ec1142651e34f49df7d7852628481a3a3e01f0b8829769dc39		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.