Office (OLE) malware analysis — malicious · fbf1c8ec332dfc73

MALICIOUS

Office (OLE)

734.5 KB Created: 2008-03-20 07:35:00 Authoring application: Microsoft Word 11.0

MD5: 84bd38672ce9203f37455b1b51c29209 SHA-1: 23acdad1afb64e4f7cf5d38cca798e220a3b716d SHA-256: fbf1c8ec332dfc734d830e8d6aa0f68dd7ebe71a52ecf42aa61a5a6586c77cb7

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Thus-4. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The document body suggests a lure related to daily tranquility and assistance services, likely to trick the user into opening the malicious content. The presence of a Document_Open macro indicates an attempt to automatically run malicious code, possibly to download and execute further payloads.

Heuristics 5

ClamAV: Doc.Trojan.Thus-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Thus-4
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x4B bytes
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `faaad10172eb15e4110b98eb6ac42c309844fff525951792e20de38dfb6ebb3a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2326 bytes
Detection ClamAV: Doc.Trojan.Thus-4 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.