Office (OLE) malware analysis — malicious · 37f551da3bec02f5

MALICIOUS

Office (OLE)

20.0 KB Created: 1997-05-27 11:17:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: 49b16dc1c54e9f7d68663e4c26ae3c43 SHA-1: 8c83e34d5ab65d89c9404c0838871b2d116148cb SHA-256: 37f551da3bec02f55639ec4da62157902da9429fa0f6788bc89080c3aa81f16c

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'ToolsMacro' marker and ClamAV detection as Win.Trojan.Kilok-2. The document body contains text referencing a virus named 'KraKAtAudk' and includes a URL, suggesting a social engineering or distribution attempt. The presence of legacy macro virus markers points to the use of Visual Basic for macro execution.

Heuristics 3

ClamAV: Win.Trojan.Kilok-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Kilok-2
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.geocities.com/researchtriangle/3996dp In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.