Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 80a0cb3b077419a4…

MALICIOUS

Office (OLE)

282.5 KB Created: 2009-06-17 14:37:00 Authoring application: Microsoft Word 10.1
MD5: 0d9ad6b4d2611b863228d18987537d3c SHA-1: f3b465250a436ef40f63f707c4573044a1b3f3c8 SHA-256: 80a0cb3b077419a431ad0cc4e5866464b79ddc1db9f0bfbcb45f15f82c5bc33f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Thus-4'. A 'Document_Open' VBA macro was detected, suggesting it executes automatically upon opening. The presence of embedded URLs, although mostly benign, includes one potentially suspicious URL that could be used for further malicious activity. The document body itself appears to be a resume, which is likely a lure.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-4
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.comoedia.org/Beatrice-Demachy
    • http://www.comoedia.org/Beatrice-DemachyAnglais***
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3dbce9df9a19f618491c8e936966b44550401864322c21f028198df4b91053f7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2304 bytes
Detection
ClamAV: Doc.Trojan.Thus-4
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.