Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ec3f294041d00fd…

MALICIOUS

Office (OLE)

12.5 KB First seen: 2012-06-14
MD5: 660e132cb1b265eeea2a413f5c8a3973 SHA-1: 1de56b1ccf0933a4f05bdba87434f923d37dee60 SHA-256: 2ec3f294041d00fdfd1a554bacb85e74842e78a0703fc1ee3b82912dadd6b596
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'RSN MACRO VIRUS' marker and the presence of XOR-encoded strings with a key of 0xFD. The document body contains numerous embedded strings related to file operations and macro execution, further supporting the macro-based attack vector. The ClamAV detection of 'Win.Trojan.Prism-2' also aligns with a known malware family.

Heuristics 3

  • ClamAV: Win.Trojan.Prism-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Prism-2
  • XOR-encoded strings (key 0xFD) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xFD: 'CreateFileA'
    Disassembly
    Attempted x86 opcode disassembly
    00002A60  be8f989c89        mov esi, 0x899c988f
00002A65  98                cwde
00002A66  bb949198bc        mov ebx, 0xbc989194
00002A6B  fd                std
00002A6C  fd                std
00002A6D  fd                std
00002A6E  be91928e98        mov esi, 0x988e9291
00002A73  b59c              mov ch, 0x9c
00002A75  93                xchg ebx, eax
00002A76  99                cdq
00002A77  91                xchg ecx, eax
00002A78  98                cwde
00002A79  fd                std
00002A7A  fd                std
00002A7B  fd                std
00002A7C  fd                std
00002A7D  fd                std
00002A7E  fd                std
00002A7F  fd                std
00002A80  fd                std
00002A81  fd                std
00002A82  fd                std
00002A83  fd                std
00002A84  fd                std
00002A85  fd                std
00002A86  fd                std
00002A87  fd                std
00002A88  fd                std
00002A89  fd                std
00002A8A  fd                std
00002A8B  fd                std
00002A8C  fd                std
00002A8D  fd                std
00002A8E  fd                std
00002A8F  fd                std
00002A90  fd                std
00002A91  fa                cli
00002A92  97                xchg edi, eax
00002A93  02fd              add bh, ch
00002A95  fd                std
00002A96  fd                std
00002A97  fd                std
00002A98  fd                std
00002A99  fd                std
00002A9A  fd                std
00002A9B  fd                std
00002A9C  fd                std
00002A9D  fd                std
00002A9E  fd                std
00002A9F  fd                std
00002AA0  fd                std
00002AA1  fd                std
00002AA2  fd                std
00002AA3  fd                std
00002AA4  fd                std
00002AA5  fd                std
00002AA6  fd                std
00002AA7  fd                std
00002AA8  fd                std
00002AA9  fd                std
00002AAA  fd                std
00002AAB  fd                std
00002AAC  fd                std
00002AAD  fd                std
00002AAE  fd                std
00002AAF  fd                std
00002AB0  fd                std
00002AB1  fd                std
00002AB2  fd                std
00002AB3  fd                std
00002AB4  fd                std
00002AB5  fd                std
00002AB6  fd                std
00002AB7  fd                std
00002AB8  fd                std
00002AB9  fd                std
00002ABA  fd                std
00002ABB  fd                std
00002ABC  fd                std
00002ABD  fd                std
00002ABE  fd                std
00002ABF  fd                std
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.