Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 71ab03df32690ecd…

MALICIOUS

Office (OLE)

59.5 KB Created: 2009-02-24 03:11:00 Authoring application: Microsoft Word 11.3.5
MD5: ed7605d843ac67dc936dd536da8f755e SHA-1: bc9ce5727e58e80795e955c7231770e7e5e2fdee SHA-256: 71ab03df32690ecd6ad837317d92496cc3601e80dfd1aa358a547c96ea531f4a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that are designed to execute arbitrary code via the Shell() function. The script attempts to write a payload to 'c:\hsf0000.sys' and then upload it using FTP commands to '209.201.88.110'. This indicates the document is a downloader for a second-stage malicious payload.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
79af8aa91703b3765a055c4c7367d7194e30d1459160e0bc34c273d2efe6ed63		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6269 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.