Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 08f9f241671bbbc5…

MALICIOUS

Office (OLE)

7.0 KB First seen: 2012-06-14
MD5: 0bb027a17b05e3b356ee47eb8c476c18 SHA-1: b24491fdfe73faeadfb0afd981dd7f27f87e6dff SHA-256: 08f9f241671bbbc59d0c03a38bb904e70dd4b2ffe96e4c816b652d3f519df361
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by the 'RSN MACRO VIRUS Goat file' markers and the presence of WordBasic macro virus indicators. The document body contains historical references and embedded strings that are typical of older macro malware. While no specific malicious actions like network communication or file execution were directly observed in the provided evidence, the historical context and heuristic firings strongly suggest a macro-based infection vector.

Heuristics 2

  • ClamAV: Win.Trojan.Nova-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Nova-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.