Win.Trojan.Flesh-3 — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 89d2f09a1087dc9d…

MALICIOUS

Office (OLE) / .DOC

22.0 KB Created: 2010-05-04 15:25:00 Authoring application: Microsoft Word 9.0
MD5: d4d94c9dec94d4d24098274f89e6675d SHA-1: b7c85d41dc73edf4989b6dd3d2ff82f76eaffb2d SHA-256: 89d2f09a1087dc9dafb4398b39a6b9a8c6b2a1ba5000cc1d7a78a635244ac7c6
140 Risk Score

Malware Insights

Win.Trojan.Flesh-3 · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1547.001 Registry Run Keys / Startup Folder

The sample is identified as Win.Trojan.Flesh-3 by ClamAV. It contains VBA code that references ShellExecute and WScript, indicating it will execute scripts. The script attempts to copy itself to the Windows directory and to all available fixed and removable drives as 'FS6519.dll.vbs', along with an 'autorun.inf' file to facilitate propagation. The script also attempts to write to the registry, likely for persistence.

Heuristics 3

  • ClamAV: Win.Trojan.Flesh-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Flesh-3
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Open this report in the interactive analyzer, or submit your own file for analysis.