Win.Trojan.Andry-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 538eef420a4a9f18…

MALICIOUS

Office (OLE)

14.0 KB Created: 1997-03-30 13:40:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: e49a4860e526882061a2187bb2897c9c SHA-1: 34eea0a55e35dbb699e2e860e08bae3e242d2bba SHA-256: 538eef420a4a9f1818bb071c3ffe07e458730dba8b1d495e42e66c03f2b6e284
80 Risk Score

Malware Insights

Win.Trojan.Andry-3 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.Andry-3. It contains a legacy WordBasic macro named 'AutoOpen', which is a known marker for automatic execution upon document opening. This suggests the macro is intended to download and execute a secondary payload, a common tactic for trojans.

Heuristics 2

  • ClamAV: Win.Trojan.Andry-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Andry-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.