Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90257a372ed1a3da…

MALICIOUS

Office (OLE)

65.5 KB Created: 2000-03-30 11:03:00 Authoring application: Microsoft Word 8.0
MD5: 6b5e99d94735bdc7cdf46f76abc3a042 SHA-1: e1e1a6580ee2f2ae5988e9f2ed5dff1b3a8b2f6b SHA-256: 90257a372ed1a3da4189115773a037691b9edc75cd2727b8cb357d9123ee9371
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an OLE document containing VBA macros, flagged by heuristics as malicious. The document body presents a HACCP plan, a common lure for social engineering. The presence of VBA macros suggests an attempt to execute malicious code upon enabling them. The ClamAV detections 'Doc.Trojan.Ethan-20' and 'Doc.Trojan.Ethan-1' further confirm its malicious nature, though the specific family could not be determined.

Heuristics 3

  • ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-20
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f1a75a379535f62e6b90e0ee87264be2e56ba6988b91c53a719caf6706a93abf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6272 bytes
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.