Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d3cec4fe823c5d57…

MALICIOUS

Office (OLE)

13.5 KB Created: 1996-12-26 20:38:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: c1917dfca0ec87859aa20d9de504947d SHA-1: 377817a5c77e3369d1a24b53be097a7b48729b18 SHA-256: d3cec4fe823c5d5796321a7bbca9d26917370ec6b4b68d23be91817684b9ce2e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing WordBasic macros. The heuristic `OLE_LEGACY_WORDBASIC_AUTOEXEC` indicates the presence of an auto-exec macro, specifically `FileSaveAs`. The document body confirms this, showing commands like `Global:FileSaveAs` and `:FileSaveAsdo`, which are used to save the document with a new name, facilitating self-propagation. The ClamAV detection further supports its malicious nature.

Heuristics 2

  • ClamAV: Doc.Trojan.Polite-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Polite-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.