Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 668ba62136b05db2…

MALICIOUS

Office (OLE)

296.5 KB Created: 1997-08-14 05:57:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: bb29d5572ad9d52ade4b43a6ffa2ccd7 SHA-1: ff5612de3b5787d009a955edb068c175226cc185 SHA-256: 668ba62136b05db22ebc52109862486086e73550beac7a35a08b1fe37a35e43e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'TOOLSMACRO' marker. ClamAV detection as 'Doc.Trojan.Eraser-18' further confirms its malicious nature. The presence of macro virus markers strongly suggests the document is intended to execute malicious Visual Basic code upon opening.

Heuristics 2

  • ClamAV: Doc.Trojan.Eraser-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eraser-18
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_933072601/Ole10Native 82692 bytes
SHA-256: b9b9c0c93e3568069775c1ec674923229ddc99d2529023b0ec29b44fb1b36802