Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f7145ff5f20f6a04…

MALICIOUS

Office (OLE)

6.5 KB First seen: 2012-06-14
MD5: df7dff5406468a34f10297396860ca4c SHA-1: 4dc7573390232b6efa857ae722d425c071513d3e SHA-256: f7145ff5f20f6a0453e26917b9d43a7894f2d1503eb3acdd25a7a98418b1bd79
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS'. The document body contains embedded commands that appear to be intended for file deletion and system disruption, such as 'deltree C:\*.* /YdLql' and 'Del C:\*.*dLql'. These actions, combined with the legacy virus markers, suggest an attempt to cause system instability or data loss.

Heuristics 2

  • ClamAV: Win.Trojan.Switches-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Switches-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.