Office (OLE) / .DOC malware analysis — malicious · 9d475c5a7e7c6b97

MALICIOUS

Office (OLE) / .DOC

33.0 KB Created: 2010-03-19 07:42:00 Authoring application: Microsoft Word 8.0

MD5: 415ddc7768f1764437386f0541b4f061 SHA-1: 06ed2499d4bbe9d1c989f431b21164c40a5f08ba SHA-256: 9d475c5a7e7c6b97810dbd159123b718a3b9a0ecaa876486e65e78b4fe58a085

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is a Microsoft Word document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic. The document body presents a fake invoice or quote for vehicle equipment, a common lure to trick users into enabling macros. The ClamAV detections (Doc.Trojan.Ethan-20 and Doc.Trojan.Ethan-1) further confirm its malicious nature. The presence of VBA macros suggests the intent is to execute malicious code, likely a downloader for a second-stage payload.

Heuristics 3

ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ethan-20
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `59f61c441d3ad45cd8f9af0ca9a8943f6dc14ff974f82220fcba2d6663ff15e4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6276 bytes
Detection ClamAV: Doc.Trojan.Ethan-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.