Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 054a0972b34b4438…

MALICIOUS

Office (OLE)

12.0 KB Created: 1995-10-30 17:04:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 9142e16cd65e4a264701b5ac9f609fd4 SHA-1: 97f0dfb6b2f99c983168fd4328f0df3161285e70 SHA-256: 054a0972b34b4438836fae9cda3ab707761303ce882b5dbc7d0bcf96caa3a089
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro virus markers and is detected by ClamAV as 'Doc.Trojan.Concept-2'. The document body explicitly discusses a 'WordMacro.IkWordNietGoed.virus' and its self-copying behavior upon saving. It also contains obfuscated macro code that likely implements this spreading mechanism and potentially destructive actions, as indicated by phrases like 'root gewist' and 'inhoud van de DOS-directory'.

Heuristics 3

  • ClamAV: Doc.Trojan.Concept-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Concept-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings