Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7c5a272a13b37996…

MALICIOUS

Office (OLE) / .DOC

87.5 KB Created: 2010-08-31 12:08:00 Authoring application: Microsoft Word 11.5.0
MD5: 076dfc461e942e56210b19b183e03fef SHA-1: 690baac8706776abec1e97bc4cf4dc7885afab0e SHA-256: 7c5a272a13b37996b01e7b4d37ef0b77f47f944cbe86c1871d97f49f1cb96ea2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The ClamAV heuristic 'Doc.Trojan.Thus-8' strongly indicates malicious intent. The document body presents a list of email addresses, likely a social engineering lure to encourage macro execution. No specific malware family could be identified, but the presence of a Document_Open macro suggests it's designed to run malicious code upon opening.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
26931056217cda351f96f38ec840e8587c28338c60955ee0acc21d6bba6aecbc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2343 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.