Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8ae6ac235d21676…

MALICIOUS

Office (OLE)

6.5 KB First seen: 2012-06-14
MD5: cbc5f841df4e4c8b2abcdc4cbc885f1a SHA-1: 60c2a702a516c9103752d9cd44e3a6b69a4229d5 SHA-256: c8ae6ac235d216765d14cd4f8a74dfba86965c29da20015a3f90c16c2fa88a8c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and ClamAV detection as Win.Trojan.Aber-1. The document body contains text that appears to be part of the macro's payload, including author information and file paths, suggesting an attempt to spread or execute malicious routines. The presence of legacy WordBasic macro virus markers points towards the use of Visual Basic for scripting.

Heuristics 2

  • ClamAV: Win.Trojan.Aber-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Aber-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.