Office (OLE) malware analysis — malicious · b82a157a63a16fe6

MALICIOUS

Office (OLE)

40.5 KB Created: 2000-11-09 02:54:00 Authoring application: Microsoft Word 8.0

MD5: 02cdaa4ada2981149f3e1129ce1e7d5b SHA-1: a6554f33570a469b17e73a53ff8339038b8df689 SHA-256: b82a157a63a16fe6b3c56348ed34d59bc0ec8b6aa8d880285847c8a64cc0c648

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing VBA macros, specifically triggering AutoOpen and Auto_Close events. Heuristics indicate the presence of a significant amount of macro code (13302 bytes) and ClamAV detections (Doc.Trojan.Class-37 and Doc.Trojan.Class-5) on the file and an extracted artifact. The presence of AutoOpen/Auto_Close macros strongly suggests the intent to execute malicious code upon opening or closing the document, likely to download and execute a second-stage payload. The document body content appears to be unrelated academic text, indicating a lure.

Heuristics 5

ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Class-37
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `1da9195fe46225b50e6f3eba6b808e55fdc743cb9ee90e9eb8b5a1dfcc86b516`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13302 bytes
Detection ClamAV: Doc.Trojan.Class-5 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.