Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8f147e5d40514ab5…

MALICIOUS

Office (OLE)

28.0 KB Created: 2007-12-09 15:57:00 Authoring application: Microsoft Word 10.0
MD5: 43ab9d103a117b15d993ba10d9b14f37 SHA-1: 275bf09cf6e4891c3f0428efff0ab6d940463088 SHA-256: 8f147e5d40514ab51855e154f6b0da9a9442a4deed7cbdc6935bd922461d1464
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The ClamAV heuristic firings further confirm its malicious nature. The document body presents text about a South African soap opera, likely intended to appear as legitimate content to trick the user into enabling macros. No specific malware family could be identified, and no external IOCs like URLs or hashes were extracted from the provided evidence.

Heuristics 4

  • ClamAV: Doc.Trojan.Strings-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Strings-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bb3fdd3d064cdcf6a4f7e8ac833ee1d18b8cc1270816d75b45c36fc78384837d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 909 bytes
Detection
ClamAV: Doc.Trojan.Strings-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.