MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE file containing a legacy WordBasic AutoOpen macro, indicated by the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' heuristic. This macro is designed to execute automatically when the document is opened, a common technique for initiating malicious actions. The 'SC_HEAP_SPRAY' heuristic further suggests exploitation of memory corruption vulnerabilities. The ClamAV detection as 'Win.Trojan.Pox-8' confirms its malicious nature, likely involving the download of a secondary payload.
Heuristics 3
-
ClamAV: Win.Trojan.Pox-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pox-8
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x07 bytes found
Disassembly
Attempted x86 opcode disassembly00000A80 07 pop es 00000A81 07 pop es 00000A82 07 pop es 00000A83 07 pop es 00000A84 07 pop es 00000A85 07 pop es 00000A86 07 pop es 00000A87 07 pop es 00000A88 07 pop es 00000A89 07 pop es 00000A8A 07 pop es 00000A8B 07 pop es 00000A8C 07 pop es 00000A8D 07 pop es 00000A8E 07 pop es 00000A8F 07 pop es 00000A90 07 pop es 00000A91 07 pop es 00000A92 07 pop es 00000A93 07 pop es 00000A94 07 pop es 00000A95 07 pop es 00000A96 07 pop es 00000A97 07 pop es 00000A98 07 pop es 00000A99 07 pop es 00000A9A 07 pop es 00000A9B 07 pop es 00000A9C 07 pop es 00000A9D 07 pop es 00000A9E 07 pop es 00000A9F 07 pop es 00000AA0 07 pop es 00000AA1 07 pop es 00000AA2 07 pop es 00000AA3 07 pop es 00000AA4 07 pop es 00000AA5 07 pop es 00000AA6 07 pop es 00000AA7 07 pop es 00000AA8 07 pop es 00000AA9 07 pop es 00000AAA 07 pop es 00000AAB 07 pop es 00000AAC 07 pop es 00000AAD 07 pop es 00000AAE 07 pop es 00000AAF 07 pop es 00000AB0 07 pop es 00000AB1 07 pop es 00000AB2 07 pop es 00000AB3 07 pop es 00000AB4 07 pop es 00000AB5 07 pop es 00000AB6 07 pop es 00000AB7 07 pop es 00000AB8 07 pop es 00000AB9 07 pop es 00000ABA 07 pop es 00000ABB 07 pop es 00000ABC 07 pop es 00000ABD 07 pop es 00000ABE 07 pop es 00000ABF 07 pop es 00000AC0 07 pop es 00000AC1 07 pop es 00000AC2 07 pop es 00000AC3 07 pop es 00000AC4 07 pop es 00000AC5 07 pop es 00000AC6 07 pop es 00000AC7 07 pop es 00000AC8 07 pop es 00000AC9 07 pop es 00000ACA 07 pop es 00000ACB 07 pop es 00000ACC 07 pop es 00000ACD 07 pop es 00000ACE 07 pop es 00000ACF 07 pop es 00000AD0 07 pop es 00000AD1 07 pop es 00000AD2 07 pop es 00000AD3 07 pop es 00000AD4 07 pop es 00000AD5 07 pop es 00000AD6 07 pop es 00000AD7 07 pop es 00000AD8 07 pop es 00000AD9 07 pop es 00000ADA 07 pop es 00000ADB 07 pop es 00000ADC 07 pop es 00000ADD 07 pop es 00000ADE 07 pop es 00000ADF 07 pop es
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.