Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8baadc8df6323a21…

MALICIOUS

Office (OLE)

52.5 KB Created: 2010-06-25 18:26:00 Authoring application: Microsoft Macintosh Word
MD5: 26cf3c64b40819023c6998f96abf2582 SHA-1: cc3a176b7edfea0c624a7418da620c91b1272e21 SHA-256: 8baadc8df6323a21a212b3cf925880dcaebe1bf4e82b2de8afa71190bb5d01d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Marker-35. Static analysis detected VBA macros, specifically a Document_Open macro, indicating that the file is designed to execute code automatically when opened. The document body contains what appears to be biographical information, likely a lure to disguise the malicious intent of the embedded macro.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f5002f7cabdb72007a507ea4a68dfb172e6f199556c3c2b08e39298247953581		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1590 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.