Office (OLE) / .DOC malware analysis — malicious · bbf6687cbef41c61

MALICIOUS

Office (OLE) / .DOC

79.0 KB Created: 2008-02-24 23:25:00 Authoring application: Microsoft Word 10.1

MD5: 54f89cb4a3eaa3a4b4fed1c3d8b8a299 SHA-1: d76224a1947a64fa0194a3d5e6483b3ef8267a57 SHA-256: bbf6687cbef41c615d43d8fcd8181ca9c736196cc4affd4cca3458b76a3b597f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is a malicious Microsoft Word document containing VBA macros. The 'Document_Open' macro is present, indicating that malicious code will execute automatically when the document is opened. ClamAV detections further confirm its malicious nature. No specific family could be identified, and no IOCs were extracted beyond the presence of macros.

Heuristics 5

ClamAV: Doc.Trojan.Marker-40 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-40
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9651624cb097012c67881e1ed190f108b816a96ca9bfc5f8ddebd053bec2a6f8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4273 bytes
Detection ClamAV: Doc.Trojan.Marker-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.