Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 591beac258d27883…

MALICIOUS

Office (OLE)

11.0 KB Created: 1998-09-05 19:34:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 6f005d1845dbad7e6a87a94558695c8d SHA-1: 73fa2d7a91a5c2a121568b21b4379d75382acff3 SHA-256: 591beac258d278839b55ab45ae137cb723388e3cf24329bd14408b583b678dab
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing an autoopen macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The document body contains references to 'gremlin.doc' and paths like 'C:\Makroviren\gremlin.doc', suggesting it may be a loader for a payload named 'gremlin'. The presence of an auto-exec macro points to an attempt to execute malicious code upon opening, likely a form of spearphishing attachment.

Heuristics 2

  • ClamAV: Win.Trojan.Minimal-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Minimal-30
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.