Win.Trojan.Wiederoeffnen-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 18deb1a8c26e711c…

MALICIOUS

Office (OLE)

12.0 KB Created: 1994-03-18 07:11:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: c043de90b1f0a1c5ad525717d60f8add SHA-1: 002bc7cad4b5b61ce961838e04e59b53735a966b SHA-256: 18deb1a8c26e711c912747e98b609156c73ffe7e0638273d75997c75458acbd5
80 Risk Score

Malware Insights

Win.Trojan.Wiederoeffnen-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic identifies the sample as Win.Trojan.Wiederoeffnen-1. The document body explicitly details how the 'AutoOpen' macro executes upon opening the document, aiming to create a directory and move the AUTOEXEC.BAT file. This aligns with a social engineering tactic to instill fear and demonstrate a perceived capability.

Heuristics 2

  • ClamAV: Win.Trojan.Wiederoeffnen-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Wiederoeffnen-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.