Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 764f69c682f947e6…

MALICIOUS

Office (OLE) / .EXE

100.0 KB Created: 2001-10-31 07:40:00 Authoring application: Microsoft Word 8.0
MD5: 0cd5ad314b3857cb7cd14d28511eea47 SHA-1: 637fc266a9faae7187277197045504675ae6325a SHA-256: 764f69c682f947e6926f0d21530fa5a2806fc6d67a56083b287c557ac90560b2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Eight941-1'. It contains VBA macros, specifically a 'Document_Open' macro, which is a common technique for executing malicious code upon opening a document. The macro's code attempts to copy itself to other projects and includes logic that appears to be related to file searching, suggesting it may download or execute additional payloads. The presence of a 'Document_Open' macro strongly indicates it was delivered as a spearphishing attachment.

Heuristics 4

  • ClamAV: Doc.Trojan.Eight941-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eight941-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e2f19160415230c8f18b58fe17de8315ea642277528c74584ba6e166028c2420		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2382 bytes
Detection
ClamAV: Doc.Trojan.Eight941-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.