Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e2576cb25e25174…

MALICIOUS

Office (OLE)

33.0 KB Created: 2002-03-06 19:14:00 Authoring application: Microsoft Word 8.0
MD5: 344c1dafebd09578f622eefd3915ff32 SHA-1: 997c9ea404706bf2de6a4316e86cdc1706033908 SHA-256: 6e2576cb25e25174f1397ab18be743687a41274382c6317cdbc68f2d4d292829
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document containing a VBA macro that executes upon opening, as indicated by the 'Document_Open' macro firing and ClamAV detection. The macro appears to be designed to infect the system, although its exact payload is obfuscated and truncated. The document body itself is a seemingly legitimate business offer, likely intended to trick the recipient into opening the malicious attachment.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
46af837b8e47bcc8654bad9540bdf881d6f2a90ff8a519d593b324e66a90be07		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2497 bytes
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.