Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6cebc05dfdd11f95…

MALICIOUS

Office (OLE)

9.0 KB First seen: 2012-06-14
MD5: ba46aeff12ae140b5f3ba6c63184263c SHA-1: 06eb36dcee5773ec8c001765152a5e672781018b SHA-256: 6cebc05dfdd11f953d4138da6fdfb41e2af490ea636dbe24cb0539989963b123
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy WordBasic macro virus by heuristics, specifically mentioning 'RSN MACRO VIRUS Goat file'. The document body contains markers and strings commonly associated with older macro viruses, including AutoOpen and AutoExec functions, and references to the creator. While no specific payload URLs or executable code are directly extracted, the presence of these markers strongly suggests a malicious intent to execute embedded macro code.

Heuristics 2

  • ClamAV: Win.Trojan.MVDK1-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.MVDK1-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.