Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a3a5d20eed76f09d…

MALICIOUS

Office (OLE)

10.0 KB First seen: 2012-06-14
MD5: 0b618fe09e499d8280c12aed9161963c SHA-1: 0b45d426b344ddad6e1ca70a6113d0d901f377f9 SHA-256: a3a5d20eed76f09d592e1f114b21dda2d7117d460fc8e3d0f0c90590a56b8324
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample was detected as Win.Trojan.Lox-1 by ClamAV and exhibits legacy WordBasic macro virus markers. The document body contains numerous VBA macro function names such as AutoOpen, AutoExec, FileOpen, and FileSaveAs, indicating an attempt to execute malicious code upon opening or interacting with the document. The presence of 'RSN MACRO VIRUS' in the document body and heuristics suggests a macro-based threat.

Heuristics 2

  • ClamAV: Win.Trojan.Lox-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Lox-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.