Win.Trojan.Armadillon-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 4ac7055320c22563…

MALICIOUS

Office (OLE)

15.5 KB Created: 1997-03-17 21:42:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 1902367567b45d09425b426f81334636 SHA-1: 3486c981af361189381eef84292328c66785e0ad SHA-256: 4ac7055320c2256343e1dfc016187d4c37b6a126c44727b4db3970d1166a14aa
100 Risk Score

Malware Insights

Win.Trojan.Armadillon-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro virus markers, specifically 'ToolsMacro', and the document body explicitly states that macros are required to view the full content. ClamAV identified the sample as Win.Trojan.Armadillon-1, indicating a known malicious trojan. The presence of macro-related keywords suggests an attempt to trick the user into enabling malicious macros, likely for initial execution.

Heuristics 2

  • ClamAV: Win.Trojan.Armadillon-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Armadillon-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.