Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df6e62533e020e0d…

MALICIOUS

Office (OLE)

53.0 KB Created: 2010-03-25 09:21:00 Authoring application: Microsoft Word 10.1
MD5: e092478b6c6cd1f472a2897ab17ff43d SHA-1: 42996b39caddcc30b7e63d5120eeeb8a8bf80f5d SHA-256: df6e62533e020e0d772da3707db831841a2e6e135d0e6a05356a0963c0e72950
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro, as indicated by the OLE_VBA_MACROS and OLE_VBA_DOCOPEN heuristics. The macro is obfuscated, suggesting an attempt to hide malicious activity. The document body is a press release about ski events, likely a lure to encourage macro execution. The embedded URLs, though mostly benign or unknown reputation, are part of the lure. The ClamAV detection as 'Doc.Trojan.Story-1' further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Story-1
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.laax.com
    • http://www.kulturkreisarosa.ch
    • http://www.samnaun.ch
    • http://www.caprices.ch
    • http://www.zermatt-unplugged.ch
    • http://www.snowpenair.ch
    • http://www.MySwitzerland.com/events
    • http://www.MySwitzerland.com/winter

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
78677940a511a49b449aff11fdca59114d564be9be34033272202cadf5a63c9c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7063 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.