Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c44aba54f8448e08…

MALICIOUS

Office (OLE)

16.5 KB First seen: 2012-06-14
MD5: 9ae089ebb19864029e02cd4dd1e2df9c SHA-1: 528477751e44646d94a443047a934016e1224b9a SHA-256: c44aba54f8448e08ddeecf18f775be9ef3d33016b0ea79f52407cf9ee6f15d50
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified by the 'RSN MACRO VIRUS' marker and the 'Win.Trojan.Innocence-2' ClamAV detection. The document body contains numerous macro names like AutoOpen, FileSave, and ToolsMacro, indicating its intent to execute automatically and potentially infect other documents. The presence of legacy macro virus markers strongly suggests a malicious intent to spread.

Heuristics 2

  • ClamAV: Win.Trojan.Innocence-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Innocence-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.