Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df56fd81e86c52aa…

MALICIOUS

Office (OLE)

156.0 KB Created: 2001-09-07 12:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b50038ccc77c2625082308f4ca10b6b8 SHA-1: d64ea934fca338b969ef7f1915b0b113c38984cd SHA-256: df56fd81e86c52aa71133d7d4a4ad6cac797b87f3830f6dfa6f4a4e69b6d0a47
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic firings indicate this file is malicious, specifically identified as 'Doc.Trojan.Marker-17'. The presence of a large VBA macro further supports this, suggesting the macro is the mechanism for delivering the malicious payload. While the macro code itself is extensive and contains many author comments, it does not contain explicit download or execution commands within the provided excerpt, leading to a slightly reduced confidence in the exact payload delivery method.

Heuristics 2

  • ClamAV: Doc.Trojan.Marker-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-17
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 205750 bytes
SHA-256: 0a468464c7835ca8f387ac7f9f5aca53cf2192512bc0084365dbf5f2960fbf6b
Detection
ClamAV: Doc.Trojan.Marker-17
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Righard J. Zwienenberg
' RJZ
'
' 9/7/01 2:05:19 PM
'
' Righard J. Zwienenberg
' RJZ
'
' 9/7/01 2:04:33 PM
'
' Georg Kirchhofer
' KIR
'
' 06.09.2001 17:25:00
'
' Georg Kirchhofer
' KIR
'
' 05.09.2001 09:18:26
'
' Reto Kamer
' KAM
'
' 03.09.2001 16:43:50
'
' Systemadministrator
' ADMIN2
'
' 03.09.2001 11:57:09
'
' Fabio Crestani
' CRE
'
' 08.08.2001 16:21:27
'
' Ralf Ziemer
' ZIE
'
' 07.08.2001 12:43:40
'
' Ralf Ziemer
' ZIE
'
' 07.08.2001 10:46:01
'
' Ralf Ziemer
' ZIE
'
' 07.08.2001 07:40:38
'
' Ralf Ziemer
' ZIE
'
' 25.07.2001 12:59:18
'
' Markus Ruegg
' REG
'
' 20.07.2001 16:25:33
'
' Markus Ruegg
' REG
'
' 20.07.2001 15:53:13
'
' Markus Ruegg
' REG
'
' 19.07.2001 19:17:21
'
' Markus Ruegg
' REG
'
' 19.07.2001 19:13:57
'
' Markus Ruegg
' REG
'
' 19.07.2001 18:14:59
'
' Markus Ruegg
' REG
'
' 19.07.2001 13:05:56
'
' Markus Ruegg
' REG
'
' 19.07.2001 09:01:48
'
' Markus Ruegg
' REG
'
' 18.07.2001 15:58:02
'
' Markus Ruegg
' REG
'
' 13.07.2001 07:53:19
'
' Markus Ruegg
' REG
'
' 13.07.2001 07:26:01
'
' Markus Ruegg
' REG
'
' 12.07.2001 17:25:43
'
' Markus Ruegg
' REG
'
' 12.07.2001 17:13:45
'
' Markus Ruegg
' REG
'
' 12.07.2001 15:09:28
'
' Markus Ruegg
' REG
'
' 12.07.2001 15:09:21
'
' Dieziger Werner
' DIE
'
' 01.06.01 09:36:52
'
' Dieziger Werner
' DIE
'
' 01.06.01 09:36:32
'
' Dieziger Werner
' DIE
'
' 31.05.01 13:53:39
'
' Dieziger Werner
' DIE
'
' 31.05.01 13:33:26
'
' Dieziger Werner
' DIE
'
' 30.05.01 16:31:47
'
' Dieziger Werner
' DIE
'
' 30.05.01 11:18:03
'
' Dieziger Werner
' DIE
'
' 30.05.01 09:55:43
'
' Dieziger Werner
' DIE
'
' 30.05.01 07:30:28
'
' Dieziger Werner
' DIE
'
' 29.05.01 08:48:33
'
' Dieziger Werner
' DIE
'
' 29.05.01 08:47:31
'
' Dieziger Werner
' DIE
'
' 29.05.01 08:46:56
'
' Dieziger Werner
' DIE
'
' 28.05.01 16:08:45
'
' Dieziger Werner
' DIE
'
' 28.05.01 14:59:49
'
' Dieziger Werner
' DIE
'
' 28.05.01 10:54:11
'
' Dieziger Werner
' DIE
'
' 23.05.01 11:13:24
'
' Dieziger Werner
' DIE
'
' 23.05.01 11:12:48
'
' Dieziger Werner
' DIE
'
' 23.05.01 11:12:31
'
' Dieziger Werner
' DIE
'
' 22.05.01 16:25:13
'
' Dieziger Werner
' DIE
'
' 22.05.01 16:23:42
'
' Dieziger Werner
' DIE
'
' 22.05.01 13:26:53
'
' Dieziger Werner
' DIE
'
' 21.05.01 16:44:37
'
' Dieziger Werner
' DIE
'
' 21.05.01 15:25:03
'
' Dieziger Werner
' DIE
'
' 21.05.01 14:27:48
'
' Dieziger Werner
' DIE
'
' 21.05.01 14:26:52
'
' Dieziger Werner
' DIE
'
' 21.05.01 13:55:43
'
' Dieziger Werner
' DIE
'
' 21.05.01 13:23:06
'
' Dieziger Werner
' DIE
'
' 18.05.01 17:21:02
'
' Dieziger Werner
' DIE
'
' 16.05.01 08:46:51
'
' Dieziger Werner
' DIE
'
' 15.05.01 15:15:06
'
' Rafael Becerra
' RB
'
' 14/02/2001 21:05:18
'
' Rafael Becerra
' RB
'
' 26/01/2001 15:10:41
'
' Rafael Becerra
' RB
'
' 26/01/2001 15:04:55
'
' Rafael Becerra
' RB
'
' 23/01/2001 22:25:49
'
' Rafael Becerra
' RB
'
' 23/01/2001 11:31:02
'
' Rafael Becerra
' RB
'
' 26/12/2000 04:40:56 PM
'
' Rafael Becerra
' RB
'
' 26/12/2000 03:05:14 PM
'
' Rafael Becerra
' RB
'
' 26/12/2000 11:24:33 AM
'
' Rafael Becerra
' RB
'
' 22/12/2000 03:01:02 PM
'
' Rafael Becerra
' RB
'
' 22/12/2000 08:27:02 AM
'
' Rafael Becerra
' RB
'
' 21/12/2000 01:49:54 PM
'
' Rafael Becerra
' RB
'
' 19/12/2000 04:44:28 PM
'
' Rafael Becerra
' RB
'
' 19/12/2000 04:22:26 PM
'
' Rafael Becerra
' RB
'
' 19/12/2000 08:33:11 AM
'
' Rafael Becerra
' RB
'
' 18/12/2000 02:53:29 PM
'
' Rafael Becerra
' RB
'
' 18/12/2000 08:12:09 AM
'
' Rafael Becerra
' RB
'
' 13/12/2000 02:40:21 PM
'
' Rafael Becerra
' RB
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.