Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2fd77768d3bba02d…

MALICIOUS

Office (OLE)

22.5 KB Created: 1994-02-03 21:52:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 2b1768236238d820f6113e4e89cfce4d SHA-1: cfae7b9473799590bd81bd95f64c2c0ed4a736e7 SHA-256: 2fd77768d3bba02d7d5fa2553443e3462573ae6251d86475c53685783ed32ad7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic indicates this is a known malware sample (Doc.Trojan.Trojan-177). The legacy WordBasic auto-exec marker 'AutoOpen' suggests the document is designed to run malicious code automatically when opened. The presence of 'AutoOpen' and 'Trojan Horse NIKITA!' in the document body strongly implies an attempt to execute a payload.

Heuristics 2

  • ClamAV: Doc.Trojan.Trojan-177 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Trojan-177
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.