Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10469ca7ac02915c…

MALICIOUS

Office (OLE)

15.5 KB First seen: 2012-06-14
MD5: b59a1c0a96f4d5d628b0a3484f599119 SHA-1: 4a458d6d11fae4781196d5c3858e74985bfd934c SHA-256: 10469ca7ac02915cc46246ad9607db77a77a910f6215fc8f0a7028c07ffe465e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of common macro names like AutoOpen and AutoClose. While no specific malicious payload is evident in the provided text, these markers strongly suggest an intent to execute malicious code via macros. The document body contains numerous references to file paths and macro functions, typical of older macro malware.

Heuristics 2

  • ClamAV: Win.Trojan.Colors-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Colors-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.