Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5b098bb0552e6dd8…

MALICIOUS

Office (OLE)

7.0 KB First seen: 2012-06-14
MD5: 5dcacb3e560eb13bbcecd9ca2e6eae29 SHA-1: 1fe2e686e612f5aa91f0e1878b6468ac30c421ee SHA-256: 5b098bb0552e6dd827918ce465a0d7a58af4735b7c824271cec7d44efe8a0980
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically mentioning 'RSN MACRO VIRUS Goat file' and containing legacy WordBasic macro markers. The document body text, while containing unusual formatting and file paths, reinforces the presence of macro virus indicators. The primary technique observed is the use of Visual Basic for Application (VBA) macros to potentially execute malicious code, falling under the broader category of spearphishing attachments.

Heuristics 2

  • ClamAV: Win.Trojan.Tabula-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tabula-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.