Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c83e9965636a66d9…

MALICIOUS

Office (OLE)

58.5 KB Created: 2007-08-07 20:04:00 Authoring application: Microsoft Word 11.0
MD5: 3b67f82883b4a4e14ffa7e63b508bdb0 SHA-1: df706c4309a66648a886662f3077f1772582b927 SHA-256: c83e9965636a66d9cb6fac3ad6f1630c57232a728ef0fc92c3955c963ce1da93
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The macro likely attempts to download or redirect the user to malicious content via the embedded URL. The ClamAV detection as 'Doc.Trojan.Thus-8' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hoodmusic.net

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
33a30b54667d2b0182b7b1bc69b2be678b22b4c14b42fe2dad532d945682c587		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2382 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.