Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 592a0ca05cf51877…

MALICIOUS

Office (OLE)

12.0 KB Created: 1997-02-19 15:51:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 84633e86d4836e7b30b5c1762e9e8450 SHA-1: c92e04be2707d3ac1d59a9bcde1fcb4fc0083991 SHA-256: 592a0ca05cf518777a83ec441b71e27ddae1da9917ccfeee5a6c66a7385bff0e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macros, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The document body text explicitly states 'This is a Macro Goat File. You MAY be infected already!', suggesting a social engineering lure. The presence of AutoNew and FileSaveAs macros, along with references to network paths and local document paths, indicates potential malicious activity such as dropping files or establishing persistence. The ClamAV detection further supports its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.Tedious-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tedious-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.