Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7b88b3ca56da47c…

MALICIOUS

Office (OLE)

11.0 KB First seen: 2012-06-14
MD5: e239b907271144c0570cff602d25063b SHA-1: 93091872806b6e71a6c937dedba201200f541857 SHA-256: d7b88b3ca56da47ce1b06037ac1092c1183de83e07bc0a351e291219f3235a72
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically referencing 'RSN MACRO VIRUS Goat file' and containing WordBasic macro virus markers. The document body includes AutoOpen, AutoClose, and FileSaveAs subroutines, typical of older macro malware designed to execute automatically or upon specific user actions. The presence of these elements strongly suggests an attempt to deliver a malicious macro payload.

Heuristics 2

  • ClamAV: Win.Trojan.Alien-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Alien-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.