Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1b340495824d34d…

MALICIOUS

Office (OLE)

9.0 KB First seen: 2012-06-14
MD5: f59bda7290be3ac42d22f9339cae3362 SHA-1: 3e556b0e66c952b5a1c470b359a544138583f7aa SHA-256: f1b340495824d34d345ddffdbd238d3dc0fa70eb456ffc6b9577f03bf2455a13
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers within its document body and heuristic firings. The embedded text suggests an attempt to obscure its malicious nature by including standard document elements and file paths. No specific second-stage payload or network communication was detected, but the presence of macro virus markers indicates a high likelihood of malicious intent.

Heuristics 2

  • ClamAV: Win.Trojan.Temple-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Temple-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.