Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 71b13d8e4a59913b…

MALICIOUS

Office (OLE)

47.5 KB Created: 1999-06-25 00:31:00 Authoring application: Microsoft Word 8.0
MD5: 0c764dcf7f62621aa9d80a0d199a9662 SHA-1: a55eab0b756c09c7385c04ae1400d474fb7e5e20 SHA-256: 71b13d8e4a59913b4ae5a14e0b3407cc5cfd763e9e608ceaa49b733de4da5442
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document containing VBA macros. The macros are designed to infect the Normal.dot template and the active document with malicious code, as indicated by the 'Doc.Trojan.Marker-17' ClamAV detection. The VBA code attempts to find and add specific strings to the code modules of both the active document and the Normal template, suggesting a self-propagating infection mechanism.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-17
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1e735de5d7216dd07bfa49ce65f21b19909c55f00499f12529ffe1d74ee1d627		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 9726 bytes
Detection
ClamAV: Doc.Trojan.Marker-17
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.