Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7ea628400fd04d08…

MALICIOUS

Office (OLE)

41.0 KB Created: 2009-01-07 11:53:00 Authoring application: Microsoft Word 11.2
MD5: 59b563aa4c5a9a68dced10a4acd63f0a SHA-1: a43b934085524863dbb2db85473b9afda7ccd72a SHA-256: 7ea628400fd04d08fa8b562a6e4dd534eff92ee19ed5cefb2b38feccd60e8732
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for initiating malicious actions upon opening a document. The ClamAV detection 'Doc.Trojan.Story-1' strongly suggests a known malware variant. The document body presents what appears to be legitimate business information, likely intended to trick the user into enabling macros. The VBA macros are obfuscated, indicating an attempt to hide malicious code that likely downloads and executes a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Story-1
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e01f89286797f34b5c08174d266f33694b24c91b7c578689fbee556bd0b7bbd1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7058 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.