Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 48b0ca5bba51d24e…

MALICIOUS

Office (OLE)

14.5 KB Created: 1996-01-20 10:48:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: c8061a6a4b95b19e68873062aae79b91 SHA-1: cb9bdacfa53a4a31e309f2305002222ab32fa903 SHA-256: 48b0ca5bba51d24eda84c5e44f0dc7b45ef299e053c991f87b21d383a4cdbe14
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro virus markers and is detected by ClamAV as Doc.Trojan.Imposter-1. The document body contains strings related to macro installation and execution, suggesting an attempt to establish persistence or perform other malicious actions. The presence of 'IMPOST.DOT' in the document body suggests a potential filename for a dropped or related malicious file.

Heuristics 2

  • ClamAV: Doc.Trojan.Imposter-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Imposter-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.