Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d960ddbb71a4263a…

MALICIOUS

Office (OLE)

70.0 KB Created: 1997-03-17 12:12:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 5cbb3f07483ac92e081f4c9c1d6c6d17 SHA-1: 936273c9020904bd6d4a6becb735ad8f91f8f885 SHA-256: d960ddbb71a4263a9b024a8c75fe5c74dd20a71b441890c48ae6c6330da4fdac
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'TOOLSMACRO' marker and ClamAV detection as 'Win.Trojan.Eraser-10'. The presence of a heap-spray pattern further indicates an attempt to execute arbitrary code. While the specific payload is not detailed, the combination of these indicators strongly suggests a malicious intent to compromise the system.

Heuristics 4

  • ClamAV: Win.Trojan.Eraser-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Eraser-10
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x06 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000E63A  06                push es
    0000E63B  06                push es
    0000E63C  06                push es
    0000E63D  06                push es
    0000E63E  06                push es
    0000E63F  06                push es
    0000E640  06                push es
    0000E641  06                push es
    0000E642  06                push es
    0000E643  06                push es
    0000E644  06                push es
    0000E645  06                push es
    0000E646  06                push es
    0000E647  06                push es
    0000E648  06                push es
    0000E649  06                push es
    0000E64A  06                push es
    0000E64B  06                push es
    0000E64C  06                push es
    0000E64D  06                push es
    0000E64E  06                push es
    0000E64F  06                push es
    0000E650  06                push es
    0000E651  06                push es
    0000E652  06                push es
    0000E653  06                push es
    0000E654  06                push es
    0000E655  06                push es
    0000E656  06                push es
    0000E657  06                push es
    0000E658  06                push es
    0000E659  06                push es
    0000E65A  06                push es
    0000E65B  06                push es
    0000E65C  06                push es
    0000E65D  06                push es
    0000E65E  06                push es
    0000E65F  06                push es
    0000E660  06                push es
    0000E661  06                push es
    0000E662  06                push es
    0000E663  06                push es
    0000E664  06                push es
    0000E665  06                push es
    0000E666  06                push es
    0000E667  06                push es
    0000E668  06                push es
    0000E669  06                push es
    0000E66A  06                push es
    0000E66B  06                push es
    0000E66C  06                push es
    0000E66D  06                push es
    0000E66E  06                push es
    0000E66F  06                push es
    0000E670  06                push es
    0000E671  06                push es
    0000E672  06                push es
    0000E673  06                push es
    0000E674  06                push es
    0000E675  06                push es
    0000E676  06                push es
    0000E677  06                push es
    0000E678  06                push es
    0000E679  06                push es
    0000E67A  06                push es
    0000E67B  06                push es
    0000E67C  06                push es
    0000E67D  06                push es
    0000E67E  06                push es
    0000E67F  06                push es
    0000E680  06                push es
    0000E681  06                push es
    0000E682  06                push es
    0000E683  06                push es
    0000E684  06                push es
    0000E685  06                push es
    0000E686  06                push es
    0000E687  06                push es
    0000E688  06                push es
    0000E689  06                push es
    0000E68A  06                push es
    0000E68B  06                push es
    0000E68C  06                push es
    0000E68D  06                push es
    0000E68E  06                push es
    0000E68F  06                push es
    0000E690  06                push es
    0000E691  06                push es
    0000E692  06                push es
    0000E693  06                push es
    0000E694  06                push es
    0000E695  06                push es
    0000E696  06                push es
    0000E697  06                push es
    0000E698  06                push es
    0000E699  06                push es
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_920134711/Ole10Native 6212 bytes
SHA-256: 290759b0e4fc83414b7ae7693ebe1c77c0b77af851ffccbda3974179f5e963cb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06