Office (OLE) / .EXE malware analysis — malicious · c0bbc4e98fffedfc

MALICIOUS

Office (OLE) / .EXE

61.5 KB Created: 1998-06-11 19:07:00 Authoring application: Microsoft Word 8.0

MD5: 0ed954c068f9db4f873b5ae34aecf3b5 SHA-1: b6e3a03af56cc47ddfe22bf34302162fac24422c SHA-256: c0bbc4e98fffedfc3e0c69479d1869cb09d3658fd39c253f99bc24fd99b83a60

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains VBA macros and presents itself as a financial offer for a $10,000 loan, which is a typical phishing lure. The embedded URLs are associated with a 'remove-list' service, likely a distraction or part of the scam infrastructure. The presence of VBA macros suggests the potential for malicious code execution, although the specific actions are not detailed in the provided evidence.

Heuristics 4

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://remove-list.com
- http://remove-list.comRemove-List

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `4d8aa5cd9538e1fbd66c6f8fe34be10b4c38fabab8e82ca41e15d0bb454a1772`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45214 bytes
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.