Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 761d55a20ed40ae6…

MALICIOUS

Office (OLE)

14.0 KB Created: 1997-03-21 04:19:00 Authoring application: Microsoft Word for Windows 95 First seen: 2015-09-16
MD5: 453080dc10f873ce29cf756fc03db8c0 SHA-1: 910e71a9b3764fbe16bfb4deb109b96cd173c2c8 SHA-256: 761d55a20ed40ae6e5a72559d6dab1dabcfdaeea6dbcb1204a4f1eb76aead92e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'ToolsMacro', and is identified by ClamAV as Win.Trojan.Cap-1. The document body contains numerous macro-related keywords and file paths, suggesting it is a test file designed to trigger or demonstrate macro virus functionality. No specific IOCs like URLs or hashes were extracted, but the presence of macro virus markers strongly indicates malicious intent.

Heuristics 2

  • ClamAV: Win.Trojan.Cap-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Cap-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.