Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 cd32d33bab0f96b7…

MALICIOUS

Office (OLE) / .DOC

138.5 KB Created: 2000-07-28 13:57:00 Authoring application: Microsoft Word 8.0
MD5: 169fad52db533ace96538802c1cfccd1 SHA-1: 833209b8e756d9f821baefc7f76a0b3b0ab0f036 SHA-256: cd32d33bab0f96b710d1e14ebcbdce9ccaec38a2f478feb1433940fec433a634
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains a malicious VBA macro that utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The presence of an OLE object related to Equation Editor suggests exploitation of a known vulnerability (CVE-2017-11882). The macro likely downloads and executes a second-stage payload, as indicated by the ClamAV detection on an extracted artifact named 'macros.bas'. The document body content is unrelated to the malicious functionality.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
915cba02b983a41de29abce911c0ae9019dbfa608e37c305f5aa08996c9e219a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5415 bytes
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.