Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 48f32ff3741f071d…

MALICIOUS

Office (OLE)

12.5 KB Created: 1997-04-08 19:06:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: d06b55d3f0d214a5b59c4d559cb304e6 SHA-1: 0babf50cea2756512db00f3e78ecb57604e74dbc SHA-256: 48f32ff3741f071d2b13917faab6dff12de681a713aa1faff3287ab13eef1bad
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, indicated by the 'OLE_LEGACY_WORDBASIC_MACRO_VIRUS' heuristic firing. The presence of macro-related keywords like 'ToolsMacro', 'AutoOpen', and 'AutoClose' within the document body further supports this. While no specific malicious URLs or scripts were extracted, the file's structure and heuristic firings strongly suggest it is designed to execute embedded malicious macros.

Heuristics 2

  • ClamAV: Win.Trojan.Talon-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Talon-4
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.