Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a0a539edd65251c9…

MALICIOUS

Office (OLE)

9.0 KB First seen: 2012-06-14
MD5: 3038074baabdeddc22fc564900cf6dd6 SHA-1: 8549ecd8f31129ef2b431425e3b8d6ad2cf234c2 SHA-256: a0a539edd65251c95ee598c38ffea09c6ebc7d432aaf93d2cce46f1bd2947c65
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of macros like 'AutoOpen' and 'Attack'. The document body contains text that appears to be part of the macro's payload, including references to its creation date and author, and potentially malicious macro names. The ClamAV detection further confirms its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.Attack-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Attack-3
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.