Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7f84baf213a2d4fa…

MALICIOUS

Office (OLE) / .DOC

61.5 KB Created: 2009-11-09 23:18:00 Authoring application: Microsoft Word 10.0
MD5: c7026e3cbc54f88a44b46bc46e4ac6c4 SHA-1: a941a25cfc93860f0c4fe58a8d667505f0eb87b7 SHA-256: 7f84baf213a2d4fa7a10ab15c58b3987e4581fcc03a993d37f94d577822cb745
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, including AutoOpen and Auto_Close functions, which are commonly used to execute malicious code. The presence of these macros and the ClamAV detection strongly suggest malicious intent. The script's primary function appears to be the execution of embedded VBA code, likely to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Ble-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ble-1
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c32050260f46f4466e6920ac886b830dcd1907616be4123c8c1b344cce0766a2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10453 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.