Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 87d84e00d66d62f2…

MALICIOUS

Office (OLE) / .DOC

28.5 KB Created: 2001-07-05 06:34:00 Authoring application: Microsoft Word 8.0
MD5: e11b60ed62c2fb328cb4ef353c46f790 SHA-1: bcf2b01ae3c4affdfe35a58c6e105a8bf286cb34 SHA-256: 87d84e00d66d62f24cc848fa3d6f56f2a4c9db198db9962641dbca993d26820a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The presence of VBA macros, specifically a Document_Open macro, indicates an attempt to execute code upon opening the document. The embedded artifact 'macros.bas' and the ClamAV detection 'Doc.Trojan.Thus-10' further confirm malicious intent. The document body explicitly states 'This file contains a virus!', which is a common lure to trick users into enabling macros or proceeding with an infection.

Heuristics 3

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b647ecee9ccdcbaa5e7b186dcdf78d4a52c94890ebe153197ffb7323647dd5a9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2472 bytes
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.