Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f0661f1a2d3fba42…

MALICIOUS

Office (OLE)

6.5 KB First seen: 2012-06-14
MD5: 6b223fdb053c34b457f6a2c10146ab54 SHA-1: ce979c01236ecd390787051598bb29fd91429d64 SHA-256: f0661f1a2d3fba4228765580d60e6b3d1f258b75c3003f965a4e858c60d3a11e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS', which is a strong indicator of malicious intent. The document body contains numerous references to this marker and other legacy macro names, suggesting the file is designed to execute embedded malicious code. The ClamAV detection further confirms its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.TWNO-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.TWNO-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.