Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d99ec1995ff44157…

MALICIOUS

Office (OLE) / .DOC

60.5 KB Created: 2010-08-20 01:06:00 Authoring application: Microsoft Word 10.1
MD5: aad6c3c8c9170dd9e5ba99d1a9b624c6 SHA-1: bc3180626e744727cc15ee713fdc852c556a5c59 SHA-256: d99ec1995ff44157d098e2ab15dfe8b6bac9ef4cedf2dc4d33447c097c0fb22f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The document body presents a seemingly legitimate invitation to a symposium, likely as a lure. The embedded VBA macros are designed to execute malicious actions, potentially downloading and running further payloads from the unknown-reputation URLs provided. The ClamAV detection 'Doc.Trojan.Marker-35' further confirms its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://symbiotica-adaptation.com/
    • http://symbiotica-adaptation.com/List
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97fb9ed5d38e0b6bade1470723057a34a35f55a060cd8f18dad6bd59bb9eaced		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1585 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.