Win.Trojan.Talon-7 — Office (OLE) malware analysis

Static analysis result for SHA-256 3e5b0ec474f77652…

MALICIOUS

Office (OLE)

16.0 KB Created: 1997-04-04 15:49:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 7fee3f09e3432cfaa3ca527bdfc4f2c1 SHA-1: e6adc48bf358dbf02360603d5761d9da4c6f8f66 SHA-256: 3e5b0ec474f776522d0963e9bccc85d78c7e099d8849113b752b4f333bb0f0a0
102 Risk Score

Malware Insights

Win.Trojan.Talon-7 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is detected as Win.Trojan.Talon-7, a legacy WordBasic macro-virus. Heuristics indicate the presence of legacy macro virus markers and the use of 'ToolsMacro' and 'FileSaveAs' commands, suggesting the macro attempts to manipulate document saving and macro execution. The document body contains strings like 'Macroi', 'Talonql', 'Activatesi', and 'Passwordddn', further supporting the malicious intent of macro execution and potentially password-protected file saving.

Heuristics 3

  • ClamAV: Win.Trojan.Talon-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Talon-7
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 395 bytes
SHA-256: d332987be8c3711aa33a22aba9e5164109c4c209af5095e9efe210b69ad1ec82
Preview script
First 1,000 lines of the extracted script
= =
21349 19827 * ,   ,  
29797 ,                     = , ,    
    = , ,    
    = 2816 8704  
REM Brian Burdick       = -   -   -   -   -   -   -   -   -           = = -   -   -   -   -   = -   -   -   -   -   -   -   -   -   -   -   -   -   -   = = = = , = , , = 512 = 8308 @cmd6172   - - , , - - - - - - - - - - - - = , =             = , ,    
    = , ,    
    = 2816 3840 @cmd6964 @cmd0073

Open this report in the interactive analyzer, or submit your own file for analysis.