Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 af3fcc4d0646a3a2…

MALICIOUS

Office (OLE) / .DOC

165.0 KB Created: 2020-05-16 15:58:00 Authoring application: Microsoft Office Word
MD5: b2e6be2b7c08933f90d09b45a6144f85 SHA-1: fe28bcdc3b2e733740a993e6665676709e1787a0 SHA-256: af3fcc4d0646a3a2c27512b07a0c84428ced10606e28e248ecfcd8c2569d85d8
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious OLE document containing VBA macros, specifically a Document_Open macro. The presence of a VirtualProtect API reference suggests the macro is designed to execute code. The ClamAV detection further confirms its malicious nature. No specific IOCs like URLs or hashes were extracted, but the attack pattern is clear: a malicious macro embedded within a Word document.

Heuristics 5

  • ClamAV: Doc.Malware.Shellex-8423557-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Shellex-8423557-0
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
227db37a6670186f924c6737538951bc5fb0d6796ad1f33a01a45a8476c571ec		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 28688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.