Office (OLE) malware analysis — malicious · 6450b85f2b8beb29

MALICIOUS

Office (OLE)

47.5 KB Created: 2000-10-07 12:45:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-30

MD5: 9b67b95ff688a82989d1b4063aa27200 SHA-1: ab859a5d3902e38a8267137e055181cbf9b4499b SHA-256: 6450b85f2b8beb293e40bb73a01e10278b69ee8d0e61b4b8832c5918df83e266

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, indicated by specific markers found within its structure. Although no executable VBA statements were detected, the presence of these legacy markers suggests a potential for malicious macro execution. The large slack space in the OLE structure is also noted as an anomaly.

Heuristics 3

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 48,640 bytes but its declared streams total only 22,568 bytes — 26,072 bytes (54%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Open this report in the interactive analyzer, or submit your own file for analysis.