Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f5bbcb6ac483070e…

MALICIOUS

Office (OLE) / .DOC

41.0 KB Created: 2002-09-09 01:38:00 Authoring application: Microsoft Word 8.0
MD5: 8cfbd797af47652dfbf98524e30f7076 SHA-1: 220e0f6faebc81a1e91cde40ea5ea3734e645679 SHA-256: f5bbcb6ac483070e4e734927fb1cad3a3cd45e1f02c944091d45a41948f91fff
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple critical detections (Doc.Trojan.Class-37, Doc.Trojan.Class-1). The presence of AutoOpen and AutoClose VBA macros indicates an attempt to execute code upon document opening and closing. No document body text was available for analysis, but the macro presence strongly suggests a malicious payload delivery mechanism.

Heuristics 5

  • ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-37
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
30d1a93a06e496fe12ac62e3e8b90f3df8f1d0b968537aec8eff2db82f32561c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 19334 bytes
Detection
ClamAV: Doc.Trojan.Class-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.