Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 24b0a3b3596232dd…

MALICIOUS

Office (OLE)

11.0 KB First seen: 2012-06-14
MD5: 20627215386c9b7ee753eab24ce60f50 SHA-1: a46c470588ada150f7a8ce58cfc2d776a6e5df45 SHA-256: 24b0a3b3596232dd4321ec014b22b821f15f8222987fb38fb88be044f1adf575
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers within its document body and a critical ClamAV detection for Win.Trojan.GreenBay-1. The embedded text, while appearing as document content, contains strings that are indicative of malicious macro activity, including function names like AutoOpen and AutoClose, and the explicit mention of 'RSN MACRO VIRUS'.

Heuristics 2

  • ClamAV: Win.Trojan.GreenBay-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GreenBay-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.