Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ad3caa43b1a82718…

MALICIOUS

Office (OLE)

51.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0
MD5: 0c31e4f1ce6592e760fbdb86a58fcbb7 SHA-1: b4aff7342129bebe2fa9deee0486d95cc4b18020 SHA-256: ad3caa43b1a82718d3a78ad037cbcec3eb68c344d38c15c6b7330aafe6c06321
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Thus-10'. The presence of AutoOpen, Document_Open, and Auto_Close VBA macros strongly suggests that the document is designed to execute malicious code upon opening or closing. While the document body contains seemingly benign text about concerts and sales, the heuristic firings and ClamAV detection point to a malicious macro-based document.

Heuristics 6

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b434f631b5be33cbe5bb5f47f790e02b241891c49c89e67be4864cb80c518e06		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4345 bytes
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.