Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 eaa24ce7593ee338…

MALICIOUS

Office (OLE) / .DOC

73.5 KB Created: 2015-06-05 07:07:00 Authoring application: Microsoft Office Word
MD5: 08969c7fdded6334380a6850bc90e4e0 SHA-1: 3b4a2ac3ed8b97b7437c94faec9e6f2c2ee689a0 SHA-256: eaa24ce7593ee33897ab09ae76225e3fff67de377c7d5e2e623daa6c7c11a8b5
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The file is a malicious Office document containing VBA macros. The presence of an AutoOpen macro and CreateObject calls, along with ClamAV detection as 'Doc.Dropper.Agent-5561180-0', strongly indicates a dropper or downloader functionality. The VBA code is obfuscated, making it difficult to determine the exact payload, but the overall pattern suggests it's designed to execute further malicious actions upon opening.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-5561180-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5561180-0
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
517fdee98e2e44fb3f0950c115106b10c7513076f873ad8bf56034ebb306f5fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8572 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 116 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.