Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e0137bc912e3bef7…

MALICIOUS

Office (OLE)

6.5 KB First seen: 2012-06-14
MD5: a8401806cf77f80559f0772c2097b3e8 SHA-1: 849718294562ba80ee23f12273c86cee08ac2947 SHA-256: e0137bc912e3bef769cdc06368a2a9aadf301cc5a90ccdb1e96a2b5961b2bf6e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of 'India' in the document body, which is also referenced in the ClamAV detection name 'Win.Trojan.India-3'. The document body contains embedded text that mimics file paths and document content, likely intended to obfuscate the malicious macro's true purpose. The macro attempts to set document passwords, suggesting an effort to control or restrict access, possibly after a malicious action.

Heuristics 2

  • ClamAV: Win.Trojan.India-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.India-3
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.