Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b7519535b049a40…

MALICIOUS

Office (OLE)

6.5 KB Created: 1996-10-28 22:42:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 9b6ef9031a41a9d809662a939425b4c7 SHA-1: c296aacd0ba199efb5251b5cc14bc681d37f52c0 SHA-256: 6b7519535b049a405453cdaef3b29c6166b543c6b8f16f26998d98c4d28f985b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of legacy malware, specifically the presence of WordBasic macro virus markers like 'fileMacro$' and the potential execution of an 'autoOpen' macro. This indicates the document is likely designed to execute malicious code upon opening, typical of older macro-based threats. The ClamAV detection further supports its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.Wazzu-29 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Wazzu-29
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.