Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 19109670f4e17f7b…

MALICIOUS

Office (OLE)

11.5 KB Created: 1997-02-19 15:51:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: a398b043c3a9e9eed9b58155a05170db SHA-1: 15e1b353b2d8625669e387b393c145fa1029beb1 SHA-256: 19109670f4e17f7bf58ff2579ace97230c2a26b01b36db4e6e1b9c62e1af1424
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a legacy WordBasic auto-exec macro marker ('autoclose') and the document body explicitly states 'This is a Macro Goat File' and 'You MAY be infected already!'. This suggests the document is designed to scare the user into performing an action, potentially related to the macro execution. The presence of 'autoclose' indicates an attempt to automatically run code upon document closing.

Heuristics 2

  • ClamAV: Win.Trojan.NF-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.NF-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.