Office (OLE) / .DOC malware analysis — malicious · e77b89adbbb8a9e2

MALICIOUS

Office (OLE) / .DOC

54.5 KB Created: 2010-02-17 13:48:00 Authoring application: Microsoft Word 11.1

MD5: a63b713fec49f547257efe23e3e65958 SHA-1: 21f731acf30be3f059f36c5eeab7e9421a1cdb1c SHA-256: e77b89adbbb8a9e223d9e69ff618f21025bb27d4aee9dd36cb63a022ebe237c5

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The document body is crafted as a permission slip for a school concert, designed to trick the recipient into enabling macros. The presence of the Document_Open macro and the malicious nature indicated by ClamAV detection strongly suggest that the VBA code is intended to download and execute a second-stage payload.

Heuristics 4

ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-8
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `174382551540ed8a2407a7b84dc489c18016425e7ff95262831585f6a8dc7fcf`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2340 bytes
Detection ClamAV: Doc.Trojan.Thus-8 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.