Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7789e867f6383541…

MALICIOUS

Office (OLE)

49.5 KB Created: 2005-05-12 00:04:00 Authoring application: Microsoft Word 10.1
MD5: 09bf9c49a54e86a1089321f0019d8a85 SHA-1: af07e2ba7fbcdd3169bca29af84d9e6422e42c90 SHA-256: 7789e867f6383541b618561161dcd63cccb90877d5120ccf348ae444d3d9bf68
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body presents itself as a press release with embedded hyperlinks to external websites. The VBA macro code, while partially truncated, appears to manipulate document properties and potentially interact with the system, indicating an attempt to download or execute further malicious content. The presence of multiple unknown-reputation URLs suggests a phishing or malware distribution attempt.

Heuristics 5

  • ClamAV: Doc.Trojan.Marker-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fluidcomponents.com/ProdFlowMeter.htm
    • http://www.fluidcomponents.com/ProdMT86.htm
    • http://www.rbmarketing.com/FCI/mt86.html
    • http://www.rbmarketing.com/FCI/press/FCI-MT_Series.doc

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bd10700919a9a1fcf36965134b11c5196b79f67cd9e3a9e459d9dc3c513eebe2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4229 bytes
Detection
ClamAV: Doc.Trojan.Marker-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.