Win.Trojan.Query-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 06f7362d4174979e…

MALICIOUS

Office (OLE)

16.5 KB Created: 1999-02-25 02:04:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: ede692c37df269e1d62e70e9c67253d7 SHA-1: 35623f2d73aead5079247cc278f46de421da5637 SHA-256: 06f7362d4174979ea6b5fa884b2cc46ebaf5383814e681e6252fc161ba8011bd
100 Risk Score

Malware Insights

Win.Trojan.Query-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically related to 'ToolsMacro' and 'AutoOpen' routines. The document body explicitly describes the macro's functionality: turning off screen updating, editing and copying its own code, and pasting it into the document and global template to evade generic scans, before executing a payload. This indicates a self-replicating macro virus.

Heuristics 2

  • ClamAV: Win.Trojan.Query-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Query-3
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.