Win.Trojan.Jorden-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 2649c43aa7822982…

MALICIOUS

Office (OLE)

25.0 KB First seen: 2015-09-15
MD5: 0ba44110aff2c332c881bb13213654c0 SHA-1: 8cdeb63fe003c814f23f2d27469ebc5b89af1dea SHA-256: 2649c43aa78229828ca125a9df8e2772af10feac0e1482b9f897d1b49aa466a1
100 Risk Score

Malware Insights

Win.Trojan.Jorden-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy WordBasic macro-virus by heuristics, specifically containing the marker 'TOOLSMACRO'. ClamAV detection confirms it as Win.Trojan.Jorden-1. The presence of WordBasic macros indicates an attempt to execute malicious code, likely for downloading and running a secondary payload.

Heuristics 2

  • ClamAV: Win.Trojan.Jorden-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Jorden-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.