Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a9a9f90f6a65d061…

MALICIOUS

Office (OLE)

37.0 KB Created: 2006-03-28 10:39:00 Authoring application: Microsoft Word 8.0
MD5: 37cc204f959b39473f718f69ea1263fb SHA-1: 568f289c8f86d8f705c595338b49491a82f1cc95 SHA-256: a9a9f90f6a65d06121b5ea18240b847143ce3950e2a7960b822ebe02ab1d0069
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Walker-9'. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The document body describes an art exhibition, likely a lure to encourage the user to enable macros. The presence of a Document_Open macro suggests an attempt to automatically run malicious code, potentially downloading a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Walker-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Walker-9
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f487ce95ce59a5d4a5c98ebd13ef979bf080923db2b3032e2c729347df40216e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.