Office (OLE) malware analysis — malicious · e26f69acca0cac1a

MALICIOUS

Office (OLE)

35.5 KB Created: 2006-06-02 19:00:00 Authoring application: Microsoft Word 10.1

MD5: 14d5174dd2626d05ad47e4e2d697beda SHA-1: 8763cc73f7577d6e77532704309a7d18e679051d SHA-256: e26f69acca0cac1abf0f749e28f55e55870f8c9a9366261624a599e131b8cb0c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an OLE document containing VBA macros, specifically a Document_Open macro, which is a common technique for initiating malicious actions upon opening. ClamAV signatures identify it as 'Doc.Trojan.Panther-2'. The document body discusses a school district's financial difficulties and requests help from a state representative, suggesting a social engineering lure to solicit funds or information. The presence of the Document_Open macro indicates the script likely executes immediately upon opening the document to facilitate this social engineering attack.

Heuristics 4

ClamAV: Doc.Trojan.Panther-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Panther-2
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `cbdbfe33f16fe310900498bb63f3d69bc2ced3bc69d54e964a03d7979043e8d3`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1590 bytes
Detection ClamAV: Doc.Trojan.Panther-2 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.