Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f368f74ca9a33ce8…

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14
MD5: 240408ff98c858bb54375a0111c0953c SHA-1: 26c5d9789c7ac761e9596fdc4381640f471ef614 SHA-256: f368f74ca9a33ce83ec72594dd31ae38b0c601a3b4dcc4eae43585b5dd28d44f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS' markers and the presence of WordBasic macro virus indicators. The document body, while containing unusual text, reinforces the macro virus nature by referencing 'AutoOpen' and 'RSN MACRO VIRUS Goat file'. This suggests the file is designed to execute malicious code upon macro enablement, likely as a payload delivery mechanism.

Heuristics 2

  • ClamAV: Win.Trojan.Dave-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dave-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.