Office (OLE) / .DOC malware analysis — malicious · 72343b57ec209e20

MALICIOUS

Office (OLE) / .DOC

52.0 KB Created: 2002-01-05 20:41:00 Authoring application: Microsoft Word 8.0

MD5: c1918b043ef0221c3a2be54e4acbe085 SHA-1: f27bb939178e7b6095a2095f4c1defe655f8cd0b SHA-256: 72343b57ec209e20bca911bed2f78f8be3546d92cdc83e12c6c9b747bc2cf2cc

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains VBA macros that utilize the Shell() function, indicating malicious intent. The macro attempts to write data to 'c:\hsf*.sys' and 'c:\netldx.vxd', and then attempts to connect to '209.201.88.110' using FTP-like commands. This suggests the macro is designed to download and execute a second-stage payload.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-31
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://mutuslab.cs.uwindsor.ca/green/59_235.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e601c0c82d62e437f33505a83dbb5d1abdb41ce9df9415df6208eb0c399a4459`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21855 bytes
Detection ClamAV: Doc.Trojan.Marker-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.