Office (OLE) / .DOC malware analysis — malicious · d0904aaf909fd27b

MALICIOUS

Office (OLE) / .DOC

37.5 KB Created: 2008-09-18 20:15:00 Authoring application: Microsoft Word 10.0

MD5: 753e63bbec00d48ca05687379018c96b SHA-1: 1c945e3653d5028d0f3f0cc2bb118f0263d6795d SHA-256: d0904aaf909fd27bb2152576ebcff39776934405a3a316eeb33b803c8d7a07ac

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro. This macro is likely intended to execute malicious code upon opening the document, as indicated by the critical ClamAV detection. No specific malware family could be identified, and the embedded URL was confirmed as benign.

Heuristics 5

ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-8
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f42c9a951f2c3e9fa1d90dac6930fdc1b99834e7990c87d2cbc6a204cae86178`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2358 bytes
Detection ClamAV: Doc.Trojan.Thus-8 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.