Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 bf7601165acc92c7…

MALICIOUS

Office (OLE) / .DOC

47.5 KB Created: 2000-06-13 16:55:00 Authoring application: Microsoft Word 8.0
MD5: 1f15a22e5c80db05c61619dc3106845f SHA-1: 248e0c464b1718f355272435f8b2d31de0071154 SHA-256: bf7601165acc92c7233325ad903f22af7d0b5e383cf8b19eed880b2ec22b51f6
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The OLE document contains VBA macros that utilize the Shell() function, indicating an attempt to execute arbitrary code. The presence of 'macros.bas' and ClamAV detections further confirm its malicious nature. The document body content is unrelated to the malicious functionality.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 48,640 bytes but its declared streams total only 28,364 bytes — 20,276 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7aefc65b0c3ecb25e28eaef99b3bedd06540ee5e8faf3508e2583e16644cd3d8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5533 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.