Office (OLE) malware analysis — malicious · a956d96be7da6da3

MALICIOUS

Office (OLE)

45.5 KB Created: 1999-11-17 04:32:00 Authoring application: Microsoft Word 8.0

MD5: b3b4247ef5d7e040f0d062a1000c6ed9 SHA-1: 8d2f6c8d350a0cec8a9bab91bf188f2c389def05 SHA-256: a956d96be7da6da3bdc3fbe94e8611211ddc8b1bfd81fb9417f269fbaa3c4d68

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with multiple critical detections, indicating it's a known malware variant. The presence of VBA macros, specifically AutoOpen and Auto_Close, strongly suggests that the document is designed to execute malicious code upon opening or closing. The macros likely serve to download and execute a second-stage payload, a common technique for malware delivery. The document body content appears to be unrelated educational material, suggesting it's a lure to disguise the malicious macro functionality.

Heuristics 5

ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Class-37
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f3815b158294da6d49af7b09e2fcdf532e0be49ed802155d63b6bfb45c1596ca`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21401 bytes
Detection ClamAV: Doc.Trojan.Class-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.