Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 edf8ae6b51caa5c1…

MALICIOUS

Office (OLE) / .DOC

159.0 KB Created: 2001-11-09 09:52:00 Authoring application: Microsoft Word 8.0
MD5: c3cf05c13f37e001dcd7e82306b5a45f SHA-1: 0f68b500c883b1a191c1644a2262b5fee5088a0b SHA-256: edf8ae6b51caa5c17544c0a077389e510fbf72ef60c6d21f1d611997f6453c26
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros, specifically triggering AutoOpen and Auto_Close functions. Heuristics indicate the presence of macros and an embedded artifact detected by ClamAV as 'Doc.Trojan.Aleja-1'. The document body is largely narrative and does not directly contribute to the attack pattern, but the presence of these macros strongly suggests an attempt to execute malicious code upon opening or closing the document.

Heuristics 4

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
668c02294d1e6820536efc2a965ecb07eefe67bcf7e1b00a304d836295c48bb4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1509 bytes
Detection
ClamAV: Doc.Trojan.Aleja-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.