Office (OLE) malware analysis — malicious · 86f8ee3abfbf6126

MALICIOUS

Office (OLE)

44.5 KB Created: 2007-09-16 15:29:00 Authoring application: Microsoft Word 11.0

MD5: bf64bceb02059dff8a261185d42bb7d0 SHA-1: 21f48156a215c6ff4c5b5adedf364fe3a5d751c5 SHA-256: 86f8ee3abfbf6126acd82663905c9fce608c9127e8064295f922c7ac7444def5

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize the Shell() function, indicating an attempt to execute external commands. The embedded document body text, while appearing benign as an academic assignment, likely serves as a lure to encourage macro execution. The presence of the 'macros.bas' artifact and the ClamAV detections further support its malicious nature.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
ClamAV: Doc.Trojan.Ded-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ded-3
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.blueagle.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `4f00fcbb6262475d3700fadef04392830373faa1fe6c5ef10b23dc28824a5b2b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3941 bytes
Detection ClamAV: Doc.Trojan.Ded-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.