Win.Trojan.Ultras-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 0f64159d2809436b…

MALICIOUS

Office (OLE)

12.5 KB Created: 1996-08-06 11:16:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: d8aab86457be635ba0546a53c8dd176b SHA-1: b68392968d9f5476af47bc16ee9876a2a55391dd SHA-256: 0f64159d2809436b1e626cbbb9e083222ad8a5245122fbaee8b4471aa850ad25
100 Risk Score

Malware Insights

Win.Trojan.Ultras-4 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically related to 'ToolsMacro' and 'AutoExec' routines, indicating malicious intent. The document body contains strings that suggest it attempts to infect system files and potentially spread via email, as indicated by the presence of 'ultras2@usa.net'. The ClamAV detection of 'Win.Trojan.Ultras-4' strongly supports the classification of this file as malicious.

Heuristics 2

  • ClamAV: Win.Trojan.Ultras-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ultras-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.