Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f5217b65d7599cc2…

MALICIOUS

Office (OLE)

11.0 KB First seen: 2012-06-14
MD5: 75d39015f9e99f03bedf23cf1c74cd0b SHA-1: a426d33211b4bca17c84a434d6f5e1e7485823d0 SHA-256: f5217b65d7599cc26e87a90b767c647d775739f5ee97e1b37a3d6893b93f1ef1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by the 'RSN MACRO VIRUS' marker and the mention of 'Goat file' in the document body. The embedded text, including author information and file paths, further supports its nature as an old macro-based threat. While no specific malicious script was extracted, the presence of these markers strongly indicates a macro-based attack pattern.

Heuristics 2

  • ClamAV: Win.Trojan.Narmol-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Narmol-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.