Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 afa5cf80e05b3bbc…

MALICIOUS

Office (OLE)

42.5 KB Created: 2010-03-19 17:30:00 Authoring application: Microsoft Word 11.3
MD5: 05e00122c02adcf2f1483ce2097f416d SHA-1: 53be2b1f0d0783edd4f519d2210c895e543ffeb4 SHA-256: afa5cf80e05b3bbc64039c4371213d542e6253f18a97bd15b8463f6a4e0661e8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body discusses customs declarations for free trade zones, presenting a fake system error message to users. This suggests a social engineering lure aimed at manipulating users involved in international trade, likely for financial gain or to bypass regulatory controls. The ClamAV detection 'Doc.Trojan.Thus-10' further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Thus-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-10
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e5c4b51190c6c1e12a48a3c599e13015679bac3dfbd61d12a619cf93fce8ef64		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2317 bytes
Detection
ClamAV: Doc.Trojan.Thus-10
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.