Opey — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 d9f0cf86b92e9f26…

MALICIOUS

Office (OLE) / .DOC

1.84 MB Created: 2002-11-27 10:13:00 Authoring application: Microsoft Word 10.0
MD5: b37ea6b74ef0e95b2cf138ae6e22f089 SHA-1: b013a71f191ded870860d0943a41177cd0a1c53e SHA-256: d9f0cf86b92e9f26b5f9dd2702a4c12487e8bba166a82007c65f917e60059aaa
220 Risk Score

Malware Insights

Opey · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, specifically an AutoOpen macro, and triggers a high severity heuristic for the Equation Editor OLE object. ClamAV detections identify it as 'Doc.Trojan.Opey-18' and an extracted artifact as 'Win.Trojan.C-286'. The presence of the Equation Editor OLE object strongly suggests exploitation of a vulnerability within it to execute the embedded VBA macros, which likely download and execute a secondary payload.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-18
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
af964cf1724dc7a0c0e39429674e75920c99a4dde075c62b271c5cb8b004d37c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4964 bytes
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
ole10native_00.bin
59ce382a09f33ae890887bd07fe5d2deaeaf781d08acdea1d517a618786f181c		 ole-package OLE Ole10Native stream: ObjectPool/_976672834/Ole10Native 3428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.