Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 49759294bd3506c0…

MALICIOUS

Office (OLE)

104.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 0e26a6cf51d29b327de45eb8a4b26b86 SHA-1: d186e8dc4bfd73f308802164e798541241ae35df SHA-256: 49759294bd3506c09321b01ad96676525a588de5dba06c82179791bf7e42827a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing a WordBasic AutoOpen macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. This macro is designed to execute automatically when the document is opened, likely to perform malicious actions. The presence of 'AutoOpen' and other legacy macro names suggests an attempt to leverage outdated functionality for code execution.

Heuristics 2

  • ClamAV: Win.Tool.WM-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.WM-2
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.