Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e2c0c345483a8177…

MALICIOUS

Office (OLE)

35.5 KB Created: 2010-04-20 07:10:00 Authoring application: Microsoft Word 10.1
MD5: ff1a9e29d5b6171f00a283bfbcd53815 SHA-1: 6ed413a82c1fd546e6e501690b72e46de6d10f06 SHA-256: e2c0c345483a81778a26c31dbb92da972d7fb71e34879c83776c0f2f22aa08af
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The document body presents a list of hyperlinks under the guise of educational resources, likely intended to trick the user into clicking them. The presence of the Document_Open macro suggests the script's primary function is to initiate malicious activity, such as downloading a secondary payload from one of the embedded URLs.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nmsea.org/Curriculum/Primer/forms_of_energy.htm
    • http://www.clean-energy-ideas.com/
    • http://www.ifpaenergyconference.com/
    • http://www.darvill.clara.net/altenerg/index.htm
    • http://tonto.eia.doe.gov/kids/energy.cfm?page=about_forms_of_energy-forms
    • http://www.wisegeek.com
    • http://www.buzzle.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c341f5a9c33b71efb4e45f6fa13ffa5be0922313088d50bdabb2a62f92967b81		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2379 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.