Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 94caeff60409fd73…

MALICIOUS

Office (OLE) / .DOC

168.0 KB Created: 2008-09-18 16:42:00 Authoring application: Microsoft Word 11.5.0
MD5: 5e3818963d60f969a83ce48b85c585e9 SHA-1: dfc5925f6d96fdb17aa6075641464239eb8317cd SHA-256: 94caeff60409fd734f5433c3ead7a1378fee7f75a980fcd230b7355fcc4368d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body discusses the rock cycle and student requirements, likely serving as a lure to encourage macro execution. The ClamAV detection 'Doc.Trojan.Walker-9' strongly indicates malicious intent. No specific family could be identified, but the execution flow points to a macro-based downloader.

Heuristics 4

  • ClamAV: Doc.Trojan.Walker-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Walker-9
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cotf.edu/ete/modules/msese/earthsysflr/rock.html
    • http://www.iowaaeaonline.org/
    • http://www.calendarsthatwork.com/membershipd.php
    • http://www.windows.ucar.edu/
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
28881cc02edbe5fa3d44379f155ed27f6b47492861bc9c6070ff8d8b8914261a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.