Win.Trojan.Box-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 10d26b2a9aa46762…

MALICIOUS

Office (OLE)

37.5 KB Created: 1996-07-26 18:08:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: e60949357d7dd14bb519f59bb30881e6 SHA-1: 289d6e917b4ef5ce926d4d68fa30f54cc048aeae SHA-256: 10d26b2a9aa4676286ceaa5fab6e1ac86893dd35b8ef4574f67d5dc5eb9ec517
140 Risk Score

Malware Insights

Win.Trojan.Box-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'TOOLSMACRO' marker. ClamAV detection confirms it as Win.Trojan.Box-3. The presence of these indicators strongly suggests the document is intended to execute malicious code, likely for further system compromise.

Heuristics 3

  • ClamAV: Win.Trojan.Box-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Box-3
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00000AF0  07                pop es
00000AF1  07                pop es
00000AF2  07                pop es
00000AF3  07                pop es
00000AF4  07                pop es
00000AF5  07                pop es
00000AF6  07                pop es
00000AF7  07                pop es
00000AF8  07                pop es
00000AF9  07                pop es
00000AFA  07                pop es
00000AFB  07                pop es
00000AFC  07                pop es
00000AFD  07                pop es
00000AFE  07                pop es
00000AFF  07                pop es
00000B00  07                pop es
00000B01  07                pop es
00000B02  07                pop es
00000B03  07                pop es
00000B04  07                pop es
00000B05  07                pop es
00000B06  07                pop es
00000B07  07                pop es
00000B08  07                pop es
00000B09  07                pop es
00000B0A  07                pop es
00000B0B  07                pop es
00000B0C  07                pop es
00000B0D  07                pop es
00000B0E  07                pop es
00000B0F  07                pop es
00000B10  07                pop es
00000B11  07                pop es
00000B12  07                pop es
00000B13  07                pop es
00000B14  07                pop es
00000B15  07                pop es
00000B16  07                pop es
00000B17  07                pop es
00000B18  07                pop es
00000B19  07                pop es
00000B1A  07                pop es
00000B1B  07                pop es
00000B1C  07                pop es
00000B1D  07                pop es
00000B1E  07                pop es
00000B1F  07                pop es
00000B20  07                pop es
00000B21  07                pop es
00000B22  07                pop es
00000B23  07                pop es
00000B24  07                pop es
00000B25  07                pop es
00000B26  07                pop es
00000B27  07                pop es
00000B28  07                pop es
00000B29  07                pop es
00000B2A  07                pop es
00000B2B  07                pop es
00000B2C  07                pop es
00000B2D  07                pop es
00000B2E  07                pop es
00000B2F  07                pop es
00000B30  07                pop es
00000B31  07                pop es
00000B32  07                pop es
00000B33  07                pop es
00000B34  07                pop es
00000B35  07                pop es
00000B36  07                pop es
00000B37  07                pop es
00000B38  07                pop es
00000B39  07                pop es
00000B3A  07                pop es
00000B3B  07                pop es
00000B3C  07                pop es
00000B3D  07                pop es
00000B3E  07                pop es
00000B3F  07                pop es
00000B40  07                pop es
00000B41  07                pop es
00000B42  07                pop es
00000B43  07                pop es
00000B44  07                pop es
00000B45  07                pop es
00000B46  07                pop es
00000B47  07                pop es
00000B48  07                pop es
00000B49  07                pop es
00000B4A  07                pop es
00000B4B  07                pop es
00000B4C  07                pop es
00000B4D  07                pop es
00000B4E  07                pop es
00000B4F  07                pop es
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.