MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1204.002 Malicious File
T1566 Phishing
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The document contains VBA macros, specifically a Document_Open macro, which is a common technique for malware delivery. The document body acts as a social engineering lure, instructing the user to enable macros under the guise of removing a fictional virus. This lure is designed to bypass Office macro security settings and execute the embedded malicious VBA code. No specific malware family was identified, and no external IOCs like URLs or hashes were extracted from the provided evidence.
Heuristics 5
-
ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-8
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas21ebbb03ce91cb25038df5c4d2b382d6d4796710ed90704cbe98ff933f1fdaac |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2380 bytes |
|
Detection
ClamAV:
Doc.Trojan.Thus-8
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.