Office (OLE) malware analysis — malicious · e9cba7015e1cf7f2

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14

MD5: fafddeb8bd70a45c6e541f7e9f56769a SHA-1: 080cd873f3f7ae7004fc470555967e0882c31bf2 SHA-256: e9cba7015e1cf7f2a6e3b478be2df78f5327fd0c7fff95529dc11a6f9518d9f2

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of WordBasic macro virus indicators. The document body contains embedded text that appears to be a lure, including standard text and file paths, common in older macro malware to obscure malicious intent. No specific second-stage payload or network communication was detected in the static analysis.

Heuristics 3

ClamAV: Win.Trojan.DMV-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.DMV-7
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 286 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	286 bytes
SHA-256: `ee5a235140c804099d1d564dc3beb775e1a63854e1fc5087681731f438c06fee`
Preview script First 1,000 lines of the extracted script 29551 MAIN total = @cmd80b7 0 present = 0 total 0 cycle = 1 total @cmd80b8 cycle , 0 = "AutoClose" present = 1 a$ = @cmd803b = ":AutoClose" present 1 @cmd80c2 a$ , "Global:AutoClose" present = 0 @cmd80b7 1 0 present = 1 present = 0 @cmd0054 = 1 @cmd80c2 "Global:AutoClose" , a$ @cmd0053

SHA-256: ee5a235140c804099d1d564dc3beb775e1a63854e1fc5087681731f438c06fee

Preview script

First 1,000 lines of the extracted script

29551
MAIN
total = @cmd80b7 0
present = 0
total 0
cycle = 1 total
@cmd80b8 cycle , 0 = "AutoClose"
present = 1
a$ = @cmd803b = ":AutoClose"
present 1
@cmd80c2 a$ , "Global:AutoClose"
present = 0
@cmd80b7 1 0
present = 1
present = 0
@cmd0054 = 1
@cmd80c2 "Global:AutoClose" , a$
@cmd0053

Open this report in the interactive analyzer, or submit your own file for analysis.