Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cc1e35315b1b0d98…

MALICIOUS

Office (OLE)

46.0 KB Created: 1999-05-08 04:45:00 Authoring application: Microsoft Word 8.0
MD5: d72b4577d5bb38eb1afbe22c2e531207 SHA-1: 6cc4e37764cc3196e5f0e82ef4c2b808d2e91a3e SHA-256: cc1e35315b1b0d98575904906b1d5a03b09b4f1997debb033a538c25a9768abe
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with critical severity heuristics. The presence of VBA macros, specifically AutoOpen and Auto_Close, indicates an attempt to execute code upon opening and closing the document. The macros are likely responsible for downloading and executing a second-stage payload, as suggested by the ClamAV detection of an extracted artifact. The document body content is religious text and does not appear to be directly related to the malicious functionality.

Heuristics 5

  • ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-37
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7219ef195c0061967c011f14077949da71daa514afd76cdf8a7896b4b3cb3533		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 16200 bytes
Detection
ClamAV: Doc.Trojan.Class-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.