MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Trojan.Saver-2. It contains VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening or closing a document. The document body presents a plausible lure related to a Ukrainian management association, likely to encourage the user to interact with the malicious content. No specific IOCs beyond the ClamAV signature were extracted.
Heuristics 6
-
ClamAV: Doc.Trojan.Saver-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Saver-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 46,592 bytes but its declared streams total only 26,674 bytes — 19,918 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basf2755f6f4c9b2c2d2680c3168ef27347b26e94e11a0c377710313fb0be7b74cd |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2290 bytes |
|
Detection
ClamAV:
Doc.Trojan.Saver-2
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.