Office (OLE) / .DOC malware analysis — malicious · 8b1fda160edc1f09

MALICIOUS

Office (OLE) / .DOC

38.0 KB Created: 2010-08-17 10:35:00 Authoring application: Microsoft Word 10.0

MD5: 0374e2ee8644226b294778649464aceb SHA-1: e882a7da413d9f08084be79a3856e5d185aa2c21 SHA-256: 8b1fda160edc1f0904ffa2e9cc0a74edd7329da12c0c395e8fca9b2b7ed619b4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body presents itself as a job application or profile, using embedded URLs and an email address as lures. The presence of a Document_Open macro strongly suggests the intent to automatically execute malicious code upon opening, likely to download and execute a secondary payload. The ClamAV detection as 'Doc.Trojan.Thus-16' further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Thus-16 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-16
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.waterday.co.uk
- http://www.twister-band.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `790b16052dcca147354d20827a4bd02efa8a1d6a56ee9d175a7b21daa819a815`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1959 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.