Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e63f9f5d2b85bc6d…

MALICIOUS

Office (OLE) / .DOC

95.5 KB Created: 1999-05-31 18:13:00 Authoring application: Microsoft Word 8.0
MD5: f553823416f8029e2d942dc981d7e633 SHA-1: 07c4c0438dcf630e0fd51f99dad6931d13982778 SHA-256: e63f9f5d2b85bc6d503b27d9cd18e129cc1bdea8c3660663f6797010daecb0af
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically triggering AutoOpen and Auto_Close events, indicating malicious intent. ClamAV detections further confirm its malicious nature. The presence of the 'macros.bas' artifact suggests the execution of embedded VBA code, likely responsible for the malicious behavior. The document body, presented as a curriculum vitae, serves as a lure to trick the user into enabling macros.

Heuristics 5

  • ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-37
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7df84e1deccf9ee1c308b7b9208239d95c5997075b2a611b76d6737f0493c1ed		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 14242 bytes
Detection
ClamAV: Doc.Trojan.Class-5
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.