Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 eb6a9f967b24aeb0…

MALICIOUS

Office (OLE) / .DOC

56.5 KB Created: 2007-03-14 10:30:00 Authoring application: Microsoft Macintosh Word
MD5: 8ff3a4cd9b237c6f08558cc31ac5feb1 SHA-1: 561958864a94b13d18e0ba4b65a8e0fd4e860270 SHA-256: eb6a9f967b24aeb00d9316bcd49c32cd7a66b823ec7c41c7406ad39da7082399
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing a VBA macro, specifically triggered by the Document_Open event. ClamAV identifies this as Doc.Trojan.Walker-9. While no specific malicious URLs or scripts were extracted, the presence of the Document_Open macro and the ClamAV detection strongly indicate that the VBA code is designed to execute malicious actions upon opening the document, likely leading to the download or execution of a secondary payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Walker-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Walker-9
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8ba074b3e7e561ef674cf077afe3a0ad7a541dda9835637a07b8214397e2f797		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.