Office (OLE) malware analysis — malicious · 36f5335f475c4cf9

MALICIOUS

Office (OLE)

20.0 KB Created: 1996-10-09 18:07:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14

MD5: 24e21409ef6b382d72510c3a1ee2f304 SHA-1: 4428b03205f4bcfe343f0cc579b8d018b2fa7091 SHA-256: 36f5335f475c4cf9b4dbca39ea23ef2ed636160022b35b186829ff0b56d424b8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro virus markers and a heuristic indicating a lure to execute commands via the clipboard. The macro code appears to be designed to copy itself to global or active templates, suggesting an attempt to establish persistence or spread. The ClamAV detection of 'Win.Trojan.Color-3' further supports the malicious nature of the file.

Heuristics 3

ClamAV: Win.Trojan.Color-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Color-3
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context

Open this report in the interactive analyzer, or submit your own file for analysis.