Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f42f4cc44bc38f2…

MALICIOUS

Office (OLE)

15.5 KB Created: 1996-12-13 10:38:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: f682335abaae02e81ed9d4a5fa545d27 SHA-1: b1680718e4ec8c404ba1c5589865f1c92693ff34 SHA-256: 3f42f4cc44bc38f209d4867a159edf79ee634ed73498f73828a1a78746334c2d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically related to 'ToolsMacro'. The document body contains numerous calls to macro functions like 'autoopen', 'FileSaveAs', and 'ToolsMacro', indicating an attempt to execute embedded macro code. This suggests the file is designed to download and execute a secondary payload, characteristic of older macro-based malware.

Heuristics 2

  • ClamAV: Win.Trojan.Shuffle-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Shuffle-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.