Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9652d90c7d14275e…

MALICIOUS

Office (OLE)

9.5 KB First seen: 2012-06-14
MD5: 7c50e7d296572254f69794655f3d1597 SHA-1: 7f9853e892c886c59bcaf2ccea6246968bd3de69 SHA-256: 9652d90c7d14275e08e52b49d8d0ec60ec11b1641b765ae8eedd8957a054edd7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of WordBasic macro functions like AutoOpen and AutoExec. The document body contains obfuscated text and file paths, suggesting an attempt to hide malicious intent. While no specific payload delivery mechanism is evident, the macro functions indicate potential for arbitrary code execution.

Heuristics 2

  • ClamAV: Win.Trojan.Stall-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Stall-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.