Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 329651b1778b40b2…

MALICIOUS

Office (OLE)

12.0 KB Created: 2027-12-31 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: b96fa3c0d0b5a54b0f836d53ae937ef0 SHA-1: 603ff32571259130e61f2633ce624c5f7dd9af49 SHA-256: 329651b1778b40b2704dedf20e81c02d2394a2ce40005d00ffa8f4f4044fbdc4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE file containing a legacy WordBasic AutoOpen macro, indicated by the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' heuristic. This macro is designed to execute automatically when the document is opened, a common technique for initiating malicious actions. The 'SC_HEAP_SPRAY' heuristic further suggests exploitation of memory corruption vulnerabilities. The ClamAV detection as 'Win.Trojan.Pox-8' confirms its malicious nature, likely involving the download of a secondary payload.

Heuristics 3

  • ClamAV: Win.Trojan.Pox-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pox-8
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00000A80  07                pop es
    00000A81  07                pop es
    00000A82  07                pop es
    00000A83  07                pop es
    00000A84  07                pop es
    00000A85  07                pop es
    00000A86  07                pop es
    00000A87  07                pop es
    00000A88  07                pop es
    00000A89  07                pop es
    00000A8A  07                pop es
    00000A8B  07                pop es
    00000A8C  07                pop es
    00000A8D  07                pop es
    00000A8E  07                pop es
    00000A8F  07                pop es
    00000A90  07                pop es
    00000A91  07                pop es
    00000A92  07                pop es
    00000A93  07                pop es
    00000A94  07                pop es
    00000A95  07                pop es
    00000A96  07                pop es
    00000A97  07                pop es
    00000A98  07                pop es
    00000A99  07                pop es
    00000A9A  07                pop es
    00000A9B  07                pop es
    00000A9C  07                pop es
    00000A9D  07                pop es
    00000A9E  07                pop es
    00000A9F  07                pop es
    00000AA0  07                pop es
    00000AA1  07                pop es
    00000AA2  07                pop es
    00000AA3  07                pop es
    00000AA4  07                pop es
    00000AA5  07                pop es
    00000AA6  07                pop es
    00000AA7  07                pop es
    00000AA8  07                pop es
    00000AA9  07                pop es
    00000AAA  07                pop es
    00000AAB  07                pop es
    00000AAC  07                pop es
    00000AAD  07                pop es
    00000AAE  07                pop es
    00000AAF  07                pop es
    00000AB0  07                pop es
    00000AB1  07                pop es
    00000AB2  07                pop es
    00000AB3  07                pop es
    00000AB4  07                pop es
    00000AB5  07                pop es
    00000AB6  07                pop es
    00000AB7  07                pop es
    00000AB8  07                pop es
    00000AB9  07                pop es
    00000ABA  07                pop es
    00000ABB  07                pop es
    00000ABC  07                pop es
    00000ABD  07                pop es
    00000ABE  07                pop es
    00000ABF  07                pop es
    00000AC0  07                pop es
    00000AC1  07                pop es
    00000AC2  07                pop es
    00000AC3  07                pop es
    00000AC4  07                pop es
    00000AC5  07                pop es
    00000AC6  07                pop es
    00000AC7  07                pop es
    00000AC8  07                pop es
    00000AC9  07                pop es
    00000ACA  07                pop es
    00000ACB  07                pop es
    00000ACC  07                pop es
    00000ACD  07                pop es
    00000ACE  07                pop es
    00000ACF  07                pop es
    00000AD0  07                pop es
    00000AD1  07                pop es
    00000AD2  07                pop es
    00000AD3  07                pop es
    00000AD4  07                pop es
    00000AD5  07                pop es
    00000AD6  07                pop es
    00000AD7  07                pop es
    00000AD8  07                pop es
    00000AD9  07                pop es
    00000ADA  07                pop es
    00000ADB  07                pop es
    00000ADC  07                pop es
    00000ADD  07                pop es
    00000ADE  07                pop es
    00000ADF  07                pop es
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.