Office (OLE) malware analysis — malicious · cc54e1ed8143e184

MALICIOUS

Office (OLE)

379.5 KB Created: 1997-10-10 00:33:00 Authoring application: Microsoft PowerPoint 4.0

MD5: 2509c8a672e1fe9829951487d8b40a5d SHA-1: 63363cf03844cb1b626b6825669990f8556096ef SHA-256: cc54e1ed8143e184f1e0de5cd12afb0c359d135c85d335b768d3e94f29a44f75

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.CyberHack-1. Static analysis revealed the presence of VBA macros, including an AutoOpen macro, which is a typical method for executing malicious code upon opening the document. No specific malware family could be confidently identified, but the technique suggests a macro-based downloader or dropper.

Heuristics 5

ClamAV: Doc.Trojan.CyberHack-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.CyberHack-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.cse.iitb.ernet.in/~sudarsha

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `6480c15b674636c72bff87fab7febc67e897ed44a6a6e4776d2b6e2022c00abf`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34104 bytes
Detection ClamAV: Doc.Trojan.CyberHack-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.