Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9e057b7d52520827…

MALICIOUS

Office (OLE)

52.5 KB Created: 2003-11-11 16:33:00 Authoring application: Microsoft Word 9.0
MD5: 642eb3e5c104fd91a81918e40cab3441 SHA-1: 5f70b0d133496fb30f7c65062ef7955b51f59bce SHA-256: 9e057b7d52520827f2d8a97473aa4ed5034d3e6af6a67f1c5f928f1616dd2319
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is an OLE document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. ClamAV detected it as Doc.Trojan.Story-1. The document body presents a biography, which serves as a lure to encourage macro execution. No specific IOCs like URLs or hashes were extracted, and the VBA code was not detailed enough to reconstruct specific actions beyond macro execution.

Heuristics 4

  • ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Story-1
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ba0090e81fca19020da12e5a76a431f979f266256243f56f620824976d9f3bee		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7030 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.