Office (OLE) malware analysis — malicious · d960ddbb71a4263a

MALICIOUS

Office (OLE)

70.0 KB Created: 1997-03-17 12:12:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14

MD5: 5cbb3f07483ac92e081f4c9c1d6c6d17 SHA-1: 936273c9020904bd6d4a6becb735ad8f91f8f885 SHA-256: d960ddbb71a4263a9b024a8c75fe5c74dd20a71b441890c48ae6c6330da4fdac

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'TOOLSMACRO' marker and ClamAV detection as 'Win.Trojan.Eraser-10'. The presence of a heap-spray pattern further indicates an attempt to execute arbitrary code. While the specific payload is not detailed, the combination of these indicators strongly suggests a malicious intent to compromise the system.

Heuristics 4

ClamAV: Win.Trojan.Eraser-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Eraser-10

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x06 bytes found

Disassembly

Attempted x86 opcode disassembly

0000E63A  06                push es
0000E63B  06                push es
0000E63C  06                push es
0000E63D  06                push es
0000E63E  06                push es
0000E63F  06                push es
0000E640  06                push es
0000E641  06                push es
0000E642  06                push es
0000E643  06                push es
0000E644  06                push es
0000E645  06                push es
0000E646  06                push es
0000E647  06                push es
0000E648  06                push es
0000E649  06                push es
0000E64A  06                push es
0000E64B  06                push es
0000E64C  06                push es
0000E64D  06                push es
0000E64E  06                push es
0000E64F  06                push es
0000E650  06                push es
0000E651  06                push es
0000E652  06                push es
0000E653  06                push es
0000E654  06                push es
0000E655  06                push es
0000E656  06                push es
0000E657  06                push es
0000E658  06                push es
0000E659  06                push es
0000E65A  06                push es
0000E65B  06                push es
0000E65C  06                push es
0000E65D  06                push es
0000E65E  06                push es
0000E65F  06                push es
0000E660  06                push es
0000E661  06                push es
0000E662  06                push es
0000E663  06                push es
0000E664  06                push es
0000E665  06                push es
0000E666  06                push es
0000E667  06                push es
0000E668  06                push es
0000E669  06                push es
0000E66A  06                push es
0000E66B  06                push es
0000E66C  06                push es
0000E66D  06                push es
0000E66E  06                push es
0000E66F  06                push es
0000E670  06                push es
0000E671  06                push es
0000E672  06                push es
0000E673  06                push es
0000E674  06                push es
0000E675  06                push es
0000E676  06                push es
0000E677  06                push es
0000E678  06                push es
0000E679  06                push es
0000E67A  06                push es
0000E67B  06                push es
0000E67C  06                push es
0000E67D  06                push es
0000E67E  06                push es
0000E67F  06                push es
0000E680  06                push es
0000E681  06                push es
0000E682  06                push es
0000E683  06                push es
0000E684  06                push es
0000E685  06                push es
0000E686  06                push es
0000E687  06                push es
0000E688  06                push es
0000E689  06                push es
0000E68A  06                push es
0000E68B  06                push es
0000E68C  06                push es
0000E68D  06                push es
0000E68E  06                push es
0000E68F  06                push es
0000E690  06                push es
0000E691  06                push es
0000E692  06                push es
0000E693  06                push es
0000E694  06                push es
0000E695  06                push es
0000E696  06                push es
0000E697  06                push es
0000E698  06                push es
0000E699  06                push es

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_920134711/Ole10Native	6212 bytes
SHA-256: `290759b0e4fc83414b7ae7693ebe1c77c0b77af851ffccbda3974179f5e963cb`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06

Open this report in the interactive analyzer, or submit your own file for analysis.