Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c013d98699e7c476…

MALICIOUS

Office (OLE)

7.0 KB First seen: 2012-06-14
MD5: 406454616f5b18574f48a462c98a7fd0 SHA-1: c198f5c55bf328b3c28a7ea10d5717ea3bf10791 SHA-256: c013d98699e7c47671073623762ab7710d0b6fc87f79b09d5eeca982f959ee85
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of WordBasic macro virus indicators. The document body contains text that appears to be part of the macro's payload, including references to 'AutoOpen' and 'MacroManager', suggesting an attempt to execute malicious code upon opening. The file is detected by ClamAV as Doc.Trojan.Daniel-1, reinforcing its malicious nature.

Heuristics 2

  • ClamAV: Doc.Trojan.Daniel-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Daniel-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.