Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6e15409fd0b0bd58…

MALICIOUS

Office (OLE) / .DOC

41.5 KB Created: 2008-04-22 10:47:00 Authoring application: Microsoft Word 10.1
MD5: e24940f90c60e30b83b1a5ac9e7b0776 SHA-1: 452c81958a8750fa1e236f50ae7394aff6aaa33e SHA-256: 6e15409fd0b0bd580e85e0c4f0a918965d34adfe8d8020d1099a21628dffcd7a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro attempts to disable macro security warnings and potentially download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Trojan.Story-1'. The script also shows attempts to interact with mIRC, suggesting a potential command and control or file transfer mechanism.

Heuristics 3

  • ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Story-1
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c7c9a62b66923494ff2bdd7a0dee99f34e0ccc842de210f47d45841c64f6fb19		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7054 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.