Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7a91bf9fbbf80fdb…

MALICIOUS

Office (OLE)

8.5 KB First seen: 2012-06-14
MD5: 4188b8aaf865658bb694a0998acdc720 SHA-1: c19d8815a8b1bcb0439f99d19a972a226a6afd54 SHA-256: 7a91bf9fbbf80fdb0f7324182e6c422e932861da0411d5c77ee0ac3135f0ad6e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by the 'RSN MACRO VIRUS' marker and the presence of AutoOpen, AutoClose, and AutoExec macros. These macros are designed to execute automatically when the document is opened or manipulated, indicating an attempt to infect the system or spread to other documents. The file is classified as malicious based on these findings.

Heuristics 2

  • ClamAV: Win.Trojan.TwoLines-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.TwoLines-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.