Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cba1884a9ab9aea…

MALICIOUS

Office (OLE)

7.5 KB First seen: 2012-06-14
MD5: 3ee35fd2da9dc2b3385ff64b0039aa24 SHA-1: fee9c43af7300ddaea042dae9fd7605336cab7a7 SHA-256: 9cba1884a9ab9aea705b7d6f9dcd0173d28091fc2a54dbc14535b29f107a28d6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of WordBasic macro functions like AutoOpen and FileSaveAs. The document body contains embedded strings and references to malicious functions, indicating an attempt to execute arbitrary code upon opening or manipulation of the document.

Heuristics 2

  • ClamAV: Win.Trojan.BadBoy-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.BadBoy-9
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.