Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9070a22dba29cbe1…

MALICIOUS

Office (OLE)

9.5 KB First seen: 2012-06-14
MD5: 222ac6cfe4fc64b6b2276b32a06b2b15 SHA-1: 53f8c54a2c618318b244ed02ffcf06dcb2a44852 SHA-256: 9070a22dba29cbe14c59b54fc7890a59948b0876b944b427087583390ca9624d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers within its document body and heuristic firings. The embedded text suggests an attempt to trick users into executing macros, likely for malicious purposes. The presence of WordBasic macro virus markers points towards the T1059.005 (Visual Basic) technique, and the overall nature of such files implies a T1566.001 (Spearphishing Attachment) initial access vector.

Heuristics 2

  • ClamAV: Win.Trojan.KMT-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.KMT-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.