Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60db8f3b13230b44…

MALICIOUS

Office (OLE)

9.0 KB First seen: 2012-06-14
MD5: 3bb6431ee9b41f2462d03cdfd7a9df0a SHA-1: 25a74a7ffa6e7db863b6d7d03765f08be0eea259 SHA-256: 60db8f3b13230b44de87275c4f3b74487c46095b5cfe0d0abdfbec5d0c3fd865
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically referencing 'RSN MACRO VIRUS' and 'Goat file' within its document body and heuristics. The presence of WordBasic macro virus markers and the AutoOpen macro suggest an attempt to execute malicious code upon opening the document, likely as a spearphishing attachment. The family is unknown due to the age and generic nature of the indicators.

Heuristics 2

  • ClamAV: Win.Trojan.Zmb-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Zmb-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.