Office (OLE) / .DOCX malware analysis — malicious · be7b8e066d0f6f32

MALICIOUS

Office (OLE) / .DOCX

45.5 KB Created: 2001-01-09 23:30:00 Authoring application: Microsoft Word 8.0

MD5: c4125a975fd2583cbc06a140bd827394 SHA-1: 6d0f1c97e3522ab202752b8df0c0f8bd82b95422 SHA-256: be7b8e066d0f6f32eb677d5c50e93f4ac46547bc2e972689be8c27cc7faad320

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is detected as malicious by ClamAV with multiple signatures indicating it's a trojanized document. The presence of VBA macros, specifically the use of GetObject, suggests an attempt to download and execute a secondary payload. The macro code appears to be designed to inject itself into other workbooks and potentially establish persistence, although the full extent is obscured by truncation.

Heuristics 4

ClamAV: Doc.Trojan.Jerk-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jerk-7
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `136a7210fbe90c3945ff4939ccfe76949ae3443e56721242c5ca4d877c9e2f3e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34830 bytes
Detection ClamAV: Doc.Trojan.Jerk-5 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.