Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a29ba418df584553…

MALICIOUS

Office (OLE) / .DOC

98.0 KB Created: 2010-03-05 18:24:00 Authoring application: Microsoft Office Word
MD5: e68125b5e99d16355a0800377daefc58 SHA-1: 1446c02870ca895f26683b7cdff80e760d6b5af6 SHA-256: a29ba418df5845532c98f457d3e47aede88c1511810004a76fdf92ead5efa8d1
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is a Microsoft Word document containing VBA macros. Heuristics indicate the presence of macros and the execution of shell commands via the Shell() function. The extracted artifact 'macros.bas' is a VBA macro. The primary function of the script appears to be executing shell commands, which is a common technique for downloading and executing further malicious payloads. The document body content is unrelated to the malicious functionality.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bellinghamfarmers.org/home-public.html
    • http://www.locavores.com
    • http://www.seattlefarmersmarket.org
    • http://www.pugetsoundfresh.org
    • http://www.seattletilth.org
    • http://www.localharvest.org/farmers-markets/M4757
    • http://www.ipcc.ch/ipccreports/ar4-wg1.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aa69564d1e48d304f136fa6b01e058e529f477fcc6c43a7c7337fba3efe36785		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 6595 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.