Office (OLE) malware analysis — malicious · 451e514003345b87

MALICIOUS

Office (OLE)

28.5 KB Created: 1997-02-04 20:24:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: dbd7dff0fb00b8c6f9d968eb9a4d3ae7 SHA-1: e3583141fc84826b24377330b6f58b53313d4997 SHA-256: 451e514003345b87e4a00f2ba36d196258d0c07e65afc2bc1870b71bd7a6e220

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro-virus markers, specifically related to the ToolsMacro event, indicating an attempt to execute malicious code. The document body contains self-aggrandizing text from 'CyberDarkness' and references to 'Darkness Incarnate', along with embedded strings that appear to be paths to executables like C:\WINDOWS\CONTROL.EXE. This suggests the macro is designed to run malicious code, potentially disguised as a system utility.

Heuristics 3

ClamAV: Win.Trojan.Incarnate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Incarnate-2
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 29,184 bytes but its declared streams total only 12,047 bytes — 17,137 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.