Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 965bf236095b01c0…

MALICIOUS

Office (OLE)

12.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 938dde65cc63e9de8d41dbe72679fa5d SHA-1: fb20573b87236ec0888b90433a8d362c431f6eb2 SHA-256: 965bf236095b01c037382a1ded1821b98d662ec04fef6402003ab9cb0b669617
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as a legacy Word document containing a WordBasic macro. The presence of the 'AutoClose' macro suggests an attempt to execute code when the document is closed. While the specific payload is not discernible from the provided evidence, the macro's presence and the ClamAV detection indicate malicious intent.

Heuristics 2

  • ClamAV: Win.Trojan.Concept-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Concept-18
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.