Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 d07a3090f078fbef…

MALICIOUS

Office (OLE) / .DOCX

64.0 KB Created: 1997-03-23 18:39:00 Authoring application: Microsoft Word 8.0
MD5: bffcea6524d3634175db63b0f4376b19 SHA-1: 510982b39a37c4a4ef5cfbe95202c899834c4f4d SHA-256: d07a3090f078fbefef73f2f72a54ecac7c331c08f785c427617071ef8817d05e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is a Microsoft Word document containing a VBA macro with an AutoOpen subroutine. This macro is designed to copy itself to the Normal.dot template, which is a common technique for establishing persistence. The heuristic firings and the presence of the AutoOpen macro strongly indicate a macro-based infection. The script explicitly mentions 'AntiFWIN' and 'RSN MACRO VIRUS Goat file', suggesting it's a known, albeit older, macro virus.

Heuristics 3

  • ClamAV: Doc.Trojan.Attention-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Attention-5
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3deb932a374d6dcf7fdfca5718e69720bcb4b561140344902d8a484a002f4362		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.