Win.Trojan.Heathen-1 Office (OLE) / .EXE malware analysis — malicious · 5f0bb7c1e9f74d0f

MALICIOUS

Office (OLE) / .EXE

82.0 KB Created: 1999-07-01 17:44:00 Authoring application: Microsoft Word 8.0

MD5: 4246521e772b0a3a64187fdcce8643ab SHA-1: e9e78bfef71d1efd9f12763c2d802a8082fe073c SHA-256: 5f0bb7c1e9f74d0fe19feeb8584b7342eb1bcd27fcbafc3040552fb9c821b95a

160 Risk Score

Malware Insights

Win.Trojan.Heathen-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical ClamAV detection for Win.Trojan.Heathen-1 and a high-severity heuristic for GetProcAddress, indicating malicious activity. The AutoOpen VBA macro attempts to create a mutex named 'Heathen is here' and contains obfuscated code that likely downloads and executes a second-stage payload. The presence of VBA macros and the AutoOpen function strongly suggests this is a malicious document delivered via spearphishing.

Heuristics 4

ClamAV: Win.Trojan.Heathen-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Heathen-1
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `cd39f2213201373472d1df6b1c09e4b769180831a55b136f01d53731e5584868`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15354 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.