Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e3e2d53df492828b…

MALICIOUS

Office (OLE) / .DOC

55.5 KB Created: 2008-12-01 18:45:00 Authoring application: Microsoft Word 10.1
MD5: 7e176a4683893591b000088392244430 SHA-1: 6b73077c5740716911ef7b8de7b47b09af5dc5aa SHA-256: e3e2d53df492828b4fb23cac0e10f0e43e62fcc77b6c1db72ce10d1265b6e5d5
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The file is a Microsoft Word document containing a VBA macro, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. ClamAV has identified this file as Doc.Trojan.Thus-8. The embedded URL, while confirmed benign, is present in the document text. The macro's exact function is not detailed, but its presence and the ClamAV detection strongly suggest it's designed to exploit a vulnerability or download a secondary payload.

Heuristics 6

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 56,832 bytes but its declared streams total only 32,767 bytes — 24,065 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1f1df94b445fd9240b18e6a7025cc8d56852d3354ce5e7154d45dc7fe82c79c3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2385 bytes
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.