Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7b5c1895ff654cd0…

MALICIOUS

Office (OLE)

164.5 KB Created: 2010-08-03 21:34:00 Authoring application: Microsoft Word 11.0
MD5: b9ad69cf1eccf07b1ca907b3948998d9 SHA-1: 45ac1381824a1ea7682577493582db59535ebbc4 SHA-256: 7b5c1895ff654cd095914dfa60ead8d115b8d98249d954291db3e882d231a542
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Thus-8'. It contains VBA macros, specifically a 'Document_Open' macro, which is a common technique for executing malicious code upon opening the document. The document body contains language suggestive of an invoice or payment lure, intended to trick the user into enabling the macros.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
692e5bbe1a1341ac2d484605ab0658375db8e40d6725e75b59b9d4da709a4059		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2376 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.