Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 50881d2459f5a76a…

MALICIOUS

Office (OLE)

7.0 KB Created: 1997-03-14 19:22:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 85fcafefa40a57261d2b4d986a552758 SHA-1: b3516d5079aa3df61d540bcb89b80d245e565fea SHA-256: 50881d2459f5a76aa252d036c46e5d5a293377e9b9ecdb164f68e2b80e666154
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document containing legacy WordBasic macros. The presence of the 'FileSaveAs' marker in the AutoExec macro suggests an attempt to save the document as a new file, which is a common technique for dropping secondary payloads. ClamAV detection as Win.Trojan.Doggie-3 further supports its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.Doggie-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Doggie-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.